Moxie's Classic Grill
Summary
A large and growing restaurant chain needed to enae all its stores nationwide to easily and securely access vital information on the network at the HQ while ensuring staff and restaurant guests weren't abusing Internet access. A sophisticated but easy to use solution was provided by an innovative VAR using switches and firewalls from ZyXEL that were ideally suited to the application.
Challenge
Moxie's Classic Grill operates over 45upper tier casual restaurants spread across five provinces in Canada. Eatz Enterprisesmanages 23 Moxie franchise locations in Ontario and Manitoba. Eatz wanted to connect all 23 restaurants to their head office's network resources while maintaining the integrity and security of the existing head office's LAN. Store managers also wanted to make sure the Internet connection would not be abused by staff for personal use or become a distraction.
Because of the distance between stores, it was very important that any solution provided a high level of up-time and remote administrative capabilities as on-site visits would be costly. Complicating the security of the network, the Internet connection would be used not just to link the locations, but also to provide free wireless guest Internet access, and provide access to a variety of third party tools such as IP based security cameras, POS systems, and a web based reservations system. Eatz needed an advanced solution with high up-time, but also wanted to keep the cost of hardware down and reduce administrative overhead.
Solution
Eatz turned to MultiTrends, a managed IT solution provider with locations in every time zone in Canada. MultiTrends offers onsite and remote technical services, network monitoring, infrastructure design and implementation, amongst other services. After looking into a number of possible solutions, including equipment from Cisco and Fortinet, MultiTrends chose ZyXEL equipment to be the heart of their solution.
A ZyWALL70 was chosen to act as the main firewall and VPN aggregator at the head office. The ZyWALL70 consists of an ICSA certified firewall, ICSA certified VPN with support for 100 simultaneous IPSec VPN connections, as well as supporting content filtering and other UTM applications. Each restaurant was provided with a ZyWALL5 which offers the same ICSA certified firewall and VPN as the ZyWALL70, but in a configuration designed for branch offices. The ZyWALL5 makes a secure 3DES IPSec VPN tunnel back to the head office, allowing each branch to securely communicate with the head office over the Internet.
A ZyWALL70 was chosen to act as the main firewall and VPN aggregator at the head office. The ZyWALL70 consists of an ICSA certified firewall, ICSA certified VPN with support for 100 simultaneous IPSec VPN connections, as well as supporting content filtering and other UTM applications. Each restaurant was provided with a ZyWALL5 which offers the same ICSA certified firewall and VPN as the ZyWALL70, but in a configuration designed for branch offices. The ZyWALL5 makes a secure 3DES IPSec VPN tunnel back to the head office, allowing each branch to securely communicate with the head office over the Internet.
To address issues of employee abuse of the Internet connection, Eatz wanted an easy-to-administer content filtering solution. Rather than maintain a large internal blacklist of sites, the ZyWALL 5 was configured to block sites based on their content. Anytime a guest tries to access a web site, the ZyWALL 5 checks with servers maintained by BlueCoat, which categorizes each site based on content such as violence, drug use, hate speech, etc. If the site belongs to a category that Eatz wants blocked, the ZyWALL 5 will block that request and instead return a website with a custom message as to why the request was denied. This also provides Moxie management an easy way to keep track of what sites are visited by employees. To separate the different networks, they use the ZyWALL 5's built-in DMZ capability. Devices that should not have access to the VPN are connected via ports on the ZyWALL 5 that are defined as DMZ. The network to be used by Moxie employees is on a dedicated LAN port on the ZyWALL 5.
Moxie uses domain-based security on their network. All network devices are configured to use the domain server located at the head office to define user based security rules. Since each location has a VPN connection to the head office, there's no need to have separate domain controllers at each location. For future expandability, Moxie installed ZyXEL GS2024 switches behind the ZyWALL 5's. These switches are layer-2 managed devices with support for many advanced features. As the needs of Moxie's business grow, having these switches already in place will allow MultiTrends to easily configure bandwidth management and VLAN rules. No need to install new hardware.
Moxie uses domain-based security on their network. All network devices are configured to use the domain server located at the head office to define user based security rules. Since each location has a VPN connection to the head office, there's no need to have separate domain controllers at each location. For future expandability, Moxie installed ZyXEL GS2024 switches behind the ZyWALL 5's. These switches are layer-2 managed devices with support for many advanced features. As the needs of Moxie's business grow, having these switches already in place will allow MultiTrends to easily configure bandwidth management and VLAN rules. No need to install new hardware.
Conclusion
By standardizing on ZyXEL equipment, MultiTrends has been able to provide a solution that meets all of Moxie's current networking needs. They were able to do it in a manner that provides high up-time, high security, and at a low price. The ZyXEL equipment also provides a lot of room for Moxie's network demands and usages to grow without the need to install new hardware.
