This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
ONE SIZE DOES NOT FIT ALL|
Norwich's evolutionary path is common among large organizations with diverse populations. While early remote access solutions like modem pools and IPsec VPNs worked for homogenous communities of modest size, most organizations eventually ran into scalability, usability and cost barriers.
"Originally we had dial-up servers, but that only allowed access by employees, not students," says Quelch. "We then added a Cisco VPN for administrators to manage systems remotely. When things were small, support was fine."
Norwich ran into trouble when expanding this IPsec VPN to staff that needed database access and rural faculty connected by satellite Internet. "That became cumbersome and difficult to support. The VPN client didn't interact well with Active Directory, login scripts, printers and mapped drives. For users with satellite connections, there was too much lag and VPN connections dropped," says Quelch.
To overcome these problems, Norwich deployed an Aventail SSL VPN. "That was great, because all we had to give users was a URL, login and password," explains Quelch. By eliminating client installation, the university could force all remote users onto an encrypted Internet tunnel with Active Directory authentication. "The SSL VPN let us offer more external connectivity to resources like shared drives. There were options like
| [scanning for] virus protection."
But new technologies tend to address IT pain by making simple assumptions, thereby imposing other limitations. For example, as SSL VPN usage grew, so did administrative costs. "We tried all three types of Aventail access," says Quelch. "The installed client required admin rights. The download-on-demand client sometimes got corrupted. The ordinary SSL session was limited to GUI applications only."
As the university expanded its Web presence, it deployed Citrix NetScaler, which allowed it to provide secure Web portal access to non-Web legacy applications by opening just two ports. However, while portals could present GUI applications to offsite users, they could not deliver client/ server access to applications like Oracle databases.
This was first published in November 2007