March 22, 2011
Brinker International owns or franchises more than 1,500 restaurants globally, and it recently sold its Macaroni Grill and On the Border businesses to a private equity firm. Suddenly, both chains had to create entirely new IT and network infrastructures, including in-restaurantwireless LANs.
Both turned first to Industry Retail Group, an outsourcer that helps retailers deploy broadband network services. Both restaurants put IRG in charge of their guest Wi-Fi networks, but from there, the wireless strategies diverged.
ANNOUNCEMENT: Wi-Fi group plans to simplify hotspot access
Macaroni Grill holds more of an in-house philosophy, while On the Border opts for more outsourcing and cloud services.
For example, Macaroni Grill has built a production WLAN environment across 180 locations using Aerohive controller-less WLAN access points, says Drew Stafford, VP of IT. The driver behind the WLAN was to scan for rogue wireless devices — a requirement of the Payment Card Industry Data Security Standards (PCI DSS), he explains.
Stafford uses an Aerohive management appliance for data center management, because “it’s a personal preference to keep management traffic in house.”
By contrast, On the Border uses software as a service (SaaS) – Microsoft‘s Business Productivity Online Suite – for business applications instead of running them in its own data center. And it has outsourced its production Wi-Fi environment to an IRG partner cloud service called Sputnik.
Sputnik services at On the Border are fueled by a Cisco Linksys E2000 wireless router platform, says Chris Andrews, senior director of IT at the Mexican grill and cantina chain.
Andrews says the chain is five sites into a 119-site WLAN rollout. It intends to use separate wireless VLANs for its back-office network traffic, its guest network traffic, its point of sale (POS) traffic and a 3G backup WAN link.
Both restaurants were first and foremost concerned with security in general and PCI DSS compliance in particular.
Macaroni Grill’s Stafford settled on Aerohive in part because the price and management of an overlay scanning network, he felt, would be “too much. What I really want to know is if a rogue is plugged into the network. Aerohive sees that,” he says, adding that the company’s AP network is completely segmented from the cardholder environment.
He also went the Aerohive route because of its local survivability: “If there’s a WAN failure, there’s no impact on the operation of the local WLAN,” he notes.
That’s because control functions are built directly into the APs rather than sitting across the WAN in a central site. Same with security: Stafford opted to use Aerohive’s WPA2 Private Pre-Shared Key feature, which uniquely IDs each device on the network and does so locally.
“I’d always wanted to authenticate the machine, not the user,” Stafford says. He worried that people could be sharing credentials to others, potentially allowing foreign machines onto the network.
He says Private PSK lets him authenticate end devices without the overhead, management, cost and WAN vulnerability of a centralized, certificate-based Public Key Infrastructure (PKI).
On the Border’s Andrews said he went the outsourcing route primarily because he had to get his new network up so fast.
“I was initially against installing wireless at all because of the time constraints for properly vetting [products and vendors] from a security perspective,” he says. So he chose to use IRG – “one provider that had experience with all the companies.”
He relented on allowing wireless owing to the installation of a Reliant Security MPS Redbox at each site, which he describes as a “firewall device that can do a ton of other things, including wireless intrusion detection.”
Andrews says the WLAN enables delivering training to employees, and “the cloud gives us the flexibility to do it wherever there’s an Internet connection, instead of employees having to VPN into a corporate circuit.” He adds that he expects to use the WLAN for “marketing activity and promotions” in the future.