This article can also be found in the Premium Editorial Download "Information Security magazine: IPSec vs. SSL VPNs: Which cures your remote access ills?."
Download it now to read this article plus other related content.
Dave Bailey had a dilemma. Providing browser-based remote e-mail access to thousands of employees distributed among nearly 300 sites for global minerals firm IMERYS was proving to be a tough nut to crack.
In 1999, when minerals giant Imetel acquired ECC International, all employees had Lotus Notes, which they could access internally via iNotes, a browser interface. Bailey was charged with providing secure remote access as well for sales reps, executives at home or on the road, etc.
"Once we had this going inside our network, the obvious leap to providing that from any Internet-connected machine was a natural progression," says Bailey, senior consultant in e-commerce, messaging and integration for the Global IT group of Paris-based IMERYS. The goal was to make e-mail access easier, and save wear and tear on laptops, since employees didn't necessarily have to take them out of the office.
Users love it. Just having access to e-mail is the first thing to get them.
Dave Bailey, IMERYS
Bailey reviewed a wide range of options before settling on Whale Communications' e-Gap SSL VPN appliance.
One by one, the options were considered and rejected. Bailey didn't want to expose existing Notes servers to the Internet. Nor did he want the expense and redundancy of adding servers to the DMZ just for remote access.
As for IPSec, he preferred to avoid the administrative burden of additional clients, since only 75% of IMERYS laptops had them. He was also concerned about "the odd firewall out there that wouldn't pass IPSec to our VPN authenticator, which would have to be tweaked."
Simply enabling SSL VPN access to all mail servers wasn't efficient. He investigated reverse-proxy solutions, but none except e-Gap could capture and rewrite the mail URL correctly for a multiple mail server environment.
In late 2002, the global IT group got it first to "test the heck out of it." When Bailey added two more e-Gap boxes to provide load balancing and failover, his group began rolling out Internet access to IMERYS, myriad Lotus Notes mail servers and other selected apps. It was a hit.
"The users love it," says Bailey. "Just having access to e-mail is the first thing to get them."
Headquarters applications--especially finance, HR and procurement--were the big driver, he says, since HQ needs to analyze and request data from remote users. "Those outside the company can access this internal, Web-based application via e-mail to see the request and submit their information. They can also see reports."
The product is also driving single sign-on (SSO) and a single corporate directory. While SSO is typically an abstract concept for most users, they now often face multiple password logon screens. e-Gap eliminates some but not all of those, so far, for applications that IMERYS has tied to Domino and its LDAP directory.
"We are working our way through those applications one at a time," enabling access, says Bailey. In the future, IMERYS will enable e-Gap connections to other ERP software.
Bailey says e-Gap's security features address some of the major concerns of remote access over the Internet. e-Gap protects against application-level attacks by first "learning" the organization's normal traffic. Then the appliance only allows proper requests.
Further, Whale's air gap technology helps prevent OS- and network-based attacks, since "there's no true IP session" between the two server blades--one facing the DMZ, the other facing the internal network. A switch keeps data from the two networks physically separated, passing through only approved application-level data.
Using browsers on untrusted machines is still a security concern. e-Gap mitigates this by loading an applet that wipes the computer clean of all evidence of the Web session. Further, his group can use filtering and certificates to prohibit untrusted machines from accessing highly sensitive applications.
Bailey believes using a VPN is an important weapon to counter the flow of malicious traffic exploiting port 443 on the firewall.
"If you have everything locked on [SSL] port 443 for a Web browser," he says, "there aren't a lot of things you can do" to compromise security.
Mathew Schwartz is a freelance technology writer based in Massachusetts.
This was first published in August 2003