Freely subscribe to our NEWSLETTER

Vueling is currently part of IAG (International Airlines Group), a holding company with the participation of British Airways and Iberia. The company is listed on the Spanish IBEX 35.

Initial Problems

Vueling has multiple professional profiles of several partner companies located at its headquarters in El Prat de Llobregat (Barcelona). Since these companies use their own equipment, it was not possible to manage the security level specified in the security policies of Vueling, nor know which users were connected to the corporate network in real-time.
Necsia, the partner responsible for project implementation, carried out a comprehensive analysis of various Network Access Control solutions, including ForeScout. Each vendor’s solution was evaluated against several key criteria to determine an objective measurement adjusted to Vueling’s business needs.

Key criteria were:
• Technical requirements (low impact, ease of implementation, detection of devices connected to the network, integration with third-party technologies, etc.)
• Other functional requirements (guest provisioning through captive portals, quarantine non-compliant and/or non-corporate hosts, low cost, etc.)
“ForeScout obtained the highest score of all analysed solutions, best-addressing the evaluation criteria. In addition, ForeScout offers ease of use, the ability to enforce policies based on conditions and actions, and integration with the current infrastructure in Vueling because ForeScout is able ‘to speak’ with most solutions from security and networking manufacturers,” said Joan Corominas, IT Systems, Communications and Information Security Manager at Vueling.
Necsia, an IT consulting company with a presence in Madrid, Barcelona, Chile and the UK, together with INGECOM, an authorised ForeScout Value Added Distributor in Spain and Portugal, recommended ForeScout CounterACT™ and helped in the decision process, configuration and staff training.

Why ForeScout CounterACT?

With ForeScout, Vueling gained quick and robust access control of its corporate network, allowing the company to classify users who connect to the network, and to establish different security policies for access and compliance.
“Within a month, we had the minimum configuration required for access control to work properly with 1,000 IP addresses at a single location. Today, we continue evolving security policies with the different functionalities which CounterACT offers, since the requests for new policies are possible to implement due to its ease of use and great potential,” explains Corominas.

The three major benefits obtained by Vueling after the deployment of ForeScout CounterACT were:
• Improved security in access control
• Automatic validation for external users
• Endpoint compliance

“Once the initial implementation was finished, ForeScout covered 100 percent of our requests and needs, since we could control access to the corporate network and the computers of our corporate users automatically authenticated in a transparent and secure way. We automatically send external partners or users performing a network connection to a branded captive portal which includes a personalised look and feel with our corporate logo and colours. These users must enter their credentials in order to connect to the network. Lastly, we perform a security analysis in order to assess the state of installed antivirus and patch level of the operating system,” states Corominas.

“During the deployment process, we did not have any difficulty implementing the product. CounterACT initially classifies the devices connected to the network, both passive, analysing traffic, and network scanners using nmap. For example, some printing equipment was classified as a UNIX system, because it really works with this operating system. Because of its detection as UNIX and not being equipment of corporate users, initially network access was blocked for these printers. Once we detect the problem with manual sorting as “printer,” the issue was solved immediately,” explains Corominas.

Conclusion

Through ForeScout CounterACT, Vueling is currently aware of a complete inventory of its connected devices to the corporate network in real-time. The company can differentiate the equipment of corporate users and external users or partners, and is able to meet the required level of security for connected endpoints. CounterACT currently monitors about 1,000 devices, including laptops, desktops, mobile systems, etc.

“Due to the growth and diversity of devices connected to Vueling’s corporate network, the CounterACT solution is supporting its maximum number of concurrent IP devices. In order to solve this problem and to minimise the connections to the corporate network from mobile devices, which are likely to be vulnerable, we have implemented new security policies. The aim of this, is to deny mobile-device access to the corporate network. Most of this involved employees trying to make internet connections. As a result, we decided to assign a new network for such purposes, and now, these devices are not being managed by ForeScout CounterACT and don’t use the corporate network. If a user tries to connect to the corporate network from a mobile device, we block the connection and they are notified by a message that they must connect to the new network for that purpose. With ForeScout, we can apply security policies easily. Before CounterACT, this was impossible to implement with the traditional solutions we had in the organisation,” concludes Corominas.

Vueling currently has two appliances in high availability (ForeScout CounterACT CT-1000s) in order to provide secure access control and compliance of its corporate customers and partners.