Melbourne Airport

Melbourne Airport uses Cloudflare to secure their infrastructure and protect against DDoS attacks

Serving up to 25 million travellers annually, Melbourne Airport is the second-busiest airport in Australia. It currently serves nearly 40 airlines covering Pacific, European, Asian, North and South American destinations, and the many domestic routes that span Australia.

In keeping with Melbourne’s mission to become Australia’s favorite airport destination, a wide variety of IT-supported services make each passenger’s trip through the 2023 Skytrax award-winning facility safe, enjoyable, and efficient.

Challenge: Securing critical infrastructure in a complex technological ecosystem

Due to the important role the airport plays in connecting Australia with the world, keeping the facility and its travellers secure is a responsibility of national importance. To accomplish this, however, the technical and cybersecurity teams faced multiple challenges.

“Maintaining a strong security fabric is our key priority, and that covers the entire passenger experience. It starts curbside at home, extends through the terminal to the boarding gate, and onto the plane,” explains Anthony Tomai, Melbourne Airport CIO. “The entire airport is a broad technological ecosystem that supports a vast mix of enterprise and operational systems. I can't understate its complexity.”

“We need to be very clear about who is on our infrastructure and how to protect it,” adds Cheuk Wong, Melbourne Airport’s Head of Cyber Security. “When you add free public Wi-Fi into the mix, over 100,000 people connect to our network daily.”

Solution: Straightforward security with the Cloudflare WAF

Melbourne Airport security team evaluated several vendors and web security products. Of the choices, only Cloudflare ticked their boxes for a secure, scalable, and easy-to-implement security solution that also met regulatory requirements.

“Cloudflare was the best solution for us,” says Tomai. “People we talked to were saying good things — Cloudflare has an excellent reputation in the broader marketplace.”

The airport began their security upgrades with the Cloudflare web application firewall (WAF). The multi-layered Cloudflare defensive solution provided the airport with machine learning and threat intelligence insights, central management for all of their domains, Cloudflare managed rules, Open Worldwide Application Security Project (OWASP) rule sets, and powerful manual response options.

Setup went smoothly and the team easily addressed their security concerns.

“Implementing Cloudflare was straightforward,” says George Panagiotidis, Technology Project Manager, at Melbourne Airport. “It’s rare we have the luxury of using a product that just works out of the box.”

The airport security team was able to deploy the Cloudflare WAF across multiple domains without the need for manual configuration or automation. This meant the team could easily test out rulesets by logging traffic on a small group of hostnames before activating the WAF rules across the system.

“With Cloudflare, we quickly strengthened our protections for our publicly-facing assets,” says Evan Thomson, Melbourne Airport’s Incident Response Manager. “The Cloudflare WAF secured our externally exposed URLs and restricted problematic traffic from inappropriate international sources.”

Cloudflare also improved the team’s visibility into the traffic on the network and reduced the time they spend ensuring everything remains secure.

“We can recognize problems and make security adjustments in a rapidly, all from the Cloudflare dashboard,” says Thomson. “It would have taken far longer in the past.”

Keeping infrastructure DDoS attacks in check with Magic Transit

Based on their early success with Cloudflare, when recent creditable cyber threats were publicized in the world media, the team looked to Cloudflare to scale up their protections. By moving their network perimeter to the Cloudflare global network edge using Magic Transit, the airport was able to secure their infrastructure instantly to defuse any DDoS threats.

“With Magic Transit in place, we were confident malicious traffic would not reach the airport infrastructure”, says Tomai.

“Overnight, Cloudflare implementation engineers helped us complete a huge piece of work in a very complex environment,” says Panagiotidis. “We expanded our Cloudflare protection from our web applications to our entire network. It was an A+ experience.”

Backed by Cloudflare’s Magic Transit, the airport would be able to sidestep any potential DDoS attacks, which would allow the airport to avoid any costly downtime, delayed flights and inconvenience to travellers, and losing the public’s trust.

“We are looking to Cloudflare for opportunities where we can better leverage our existing tooling, maximize value, and better understand our environment,” says Wong.

Describing his interactions with Cloudflare to secure Melbourne Airport, Tomai reflects on the importance of trust for successful collaboration.

“It's all about the power of good partnerships — being able to get the best out of people who know how to do things better than you can. Cloudflare is a trusted partner to us now. We will continue to lean on the Cloudflare team for advice and support.”