As part of the largest foodservice and hospitality company in the world, Compass Group provides high quality catering and support services such as staff restaurants, student refectories, hospital patient meals, coffee shops and executive dining - serving nearly three million meals a day at over 9,000 locations. Its parent company Compass Group PLC operates in more than 90 countries and is listed on the London Stock Exchange FTSE-100 Index.

'Our users require safe, seamless integration with internal and external services, whether via email, Internet or portal services such as Citrix,' said Robin Harvey, IT Operations Director for Compass Group. We must ensure that both the corporate network and its users are protected from malicious content and viruses without hindering work practices, slowing down activity or being unnecessarily intrusive. It's crucial that we keep abreast of new threats such as spyware, Denial of Service (DoS) attacks and evolving worm programs.'

Robin and his team were concerned that the incumbent Checkpoint firewall system lacked the sufficient performance and capacity to deliver the high availability and resilience that they required: 'With such a large network running multiple systems, any unscheduled downtime would greatly affect the organisation. We decided to replace the primary firewall and redesign the protection measures for our Internet connectivity. To cope with new threats, we wanted a robust anti-virus engine at the network edge, in addition to an intrusion detection and prevention system (IDS/IPS) ' all with maximum ease of manageability.'

'We looked for a new kind of security set-up that could provide more power and more functions, without any added complexity,' explained Robin. 'Previously, we had a very complicated server and load balancing/sharing architecture running firewall software so we welcomed the opportunity to explore a different approach. Performance-wise, because we used software, we were being constrained by the Intel processing power of our Sun servers.'

Having conducted research into the security marketplace, Compass was able to learn more about Fortinet and its family of FortiGate integrated security platforms. According to Robin, 'One of the major attractions of the FortiGate is its cost-saving licensing approach which enables an unlimited number of users onto the platform without having to pay extra for any of them.' Robin and his team also found that with the FortiGate devices receiving automatic virus updates from the FortiProtect Service, managing and maintaining Compass Group's network security was virtually hands-off.

Following a period of consultation, Fortinet helped Compass select two FortiGate FG-1000s for combined implementation as the network's primary firewall protection. Arranged in an active/active cluster, the new solution was installed at Compass' remote co-location facility. Remote Access services, including DNS and Radius were added shortly after, with user Internet access incrementally installed during the remainder of 2004.

'We were very impressed with the FG-1000s - they have comprehensively fulfilled our expectations,' commented Robin. 'The difference in performance as soon as we turned the devices on was immediately apparent. Over-and-above our previous system the gains are incredible and will allow us to provide more services with greater reliability. We've also seen many new benefits that were not originally anticipated, such as the visibility of traffic trends and other potential areas of concern that we now enjoy through the FortiReporter module. This alone has allowed us to respond far more rapidly to emergency situations and changes.'

The largest additional benefits have come through the in-built capabilities of the FortiGate to deliver more than simply firewall protection. According to Robin, by enabling the antivirus and IDS/IPS functions on each device, his team has found that network performance remains unimpeded. This dramatically increases the level of security measures in play, and at zero additional cost to Compass.

Since the replacement of the previous Checkpoint-based system with Fortinet, Compass has been able to easily establish VPN connections to partner services - an extremely complicated process prior to the change. 'Some groups of users want PDA and smartphone access to corporate data such as email, which creates a real issue for us in terms of enforcing security policies. Configuring these dataflows with network-to-network VPNs used to take us a very long time. Now it takes maybe 10 minutes. We also found that the FortiGate's VLAN-tagged DMZs provide an easy way to separate and protect network services from external and internal sources of potential attack.'

Since investing in two FG-1000s for core network deployment, Compass has subsequently acquired a number of lower-scale FG-60s for smaller implementations of other firewalls.

Moving forward, Compass plans to implement the FortiGuard content filtering service alongside its incumbent FortiGate security functions in early 2005; a move that will see the company realise an increasingly popular approach to complete content protection that industry watchers are coining 'Unified Threat Management'.

Summing up the achievements of the project, Robin puts the contribution of the Fortinet devices in the context of Compass's broader IT network strategy: 'A major infrastructure change was made in replacing the old firewall solution, and a new Internet data centre is now functional; expanding every month with new services. At the heart of our infrastructure are the FortiGates. They're a great success, enabling greater visibility, improved performance and more flexibility.'