Published: 01 Nov 2007
| Organizations are overhauling strategies to meet the challenges of the mobile workforce.
From accommodating mergers to expanding application breadth, many companies are finding it necessary to revamp strategies that no longer meet their needs. Simply connecting travelers to the corporate network is no longer sufficient, or even acceptable. New products and approaches have emerged to reduce risks and fill gaps, from browser-based and mobile VPNs to endpoint security and identity-based network access control (NAC).
From a technology standpoint, businesses can deliver the appropriate degree of resource access to anyone, anywhere, using any device and connection. But from a strategic perspective, how do companies determine which new approach can best address their objectives?
For Norwich University in Vermont, it was an evolutionary process. The university tried half a dozen platforms to deliver remote access to 800 faculty members and 2,000 students. "Our security challenges are great, for we are required to provide various levels of support and application access," says Richard Quelch, network manager at Norwich. "While each product [we tried] provides great connectivity for specific application types, no single product does everything well."
Ultimately, Norwich combined several products. Sonic-WALL's Aventail, Citrix Systems' NetScaler and Cisco Sys-tems' ASA appliances now provide remote access; endpoints are scanned before access and then monitored by Cisco MARS. "I think we're finally where we want to be," says Quelch. "It's a huge relief that we can put restrictions on what [users] connect to and keep a record of their activity. We're providing better access, getting more applications out to people, while keeping them more secure."
| ONE SIZE DOES NOT FIT ALL
Norwich's evolutionary path is common among large organizations with diverse populations. While early remote access solutions like modem pools and IPsec VPNs worked for homogenous communities of modest size, most organizations eventually ran into scalability, usability and cost barriers.
"Originally we had dial-up servers, but that only allowed access by employees, not students," says Quelch. "We then added a Cisco VPN for administrators to manage systems remotely. When things were small, support was fine."
Norwich ran into trouble when expanding this IPsec VPN to staff that needed database access and rural faculty connected by satellite Internet. "That became cumbersome and difficult to support. The VPN client didn't interact well with Active Directory, login scripts, printers and mapped drives. For users with satellite connections, there was too much lag and VPN connections dropped," says Quelch.
To overcome these problems, Norwich deployed an Aventail SSL VPN. "That was great, because all we had to give users was a URL, login and password," explains Quelch. By eliminating client installation, the university could force all remote users onto an encrypted Internet tunnel with Active Directory authentication. "The SSL VPN let us offer more external connectivity to resources like shared drives. There were options like [scanning for] virus protection."
But new technologies tend to address IT pain by making simple assumptions, thereby imposing other limitations. For example, as SSL VPN usage grew, so did administrative costs. "We tried all three types of Aventail access," says Quelch. "The installed client required admin rights. The download-on-demand client sometimes got corrupted. The ordinary SSL session was limited to GUI applications only."
As the university expanded its Web presence, it deployed Citrix NetScaler, which allowed it to provide secure Web portal access to non-Web legacy applications by opening just two ports. However, while portals could present GUI applications to offsite users, they could not deliver client/ server access to applications like Oracle databases.
| REMOTE & LOCAL CONVERGENCE
As companies deploy wireless LANs and embed identity-based access controls into their networks, the dividing line between "local" and "remote" grows thin. Local users are no longer continuously connected or trusted, while remote users no longer stick to one company device. When the same user moves from inside to outside and back in a single day, a common strategy becomes necessary.
This is why Norwich recently decided to leverage the Cisco NAC it implemented for on-site LAN security by rolling out a new Cisco ASA (Adaptive Security Appliance). The ASA offers firewall, IPS and IPsec/SSL VPN services on a single appliance that integrates with Cisco's NAC agent. Norwich plans to move users whose needs are not satisfied by Aventail or NetScaler to an ASA-based VPN, using NAC to mitigate the higher risk associated with IPsec VPN tunnels.
"Those who connect to Oracle, administer systems or use mapped drives need [the ASA]," explains Quelch. "Those who just do email or manage a Web page can be more easily supported through NetScaler or [Aventail] SSL VPN." While nearly 3,000 employees and students connect through NetScaler or Aventail, just 50 are expected to require the ASA.
"We can't control the machine that people are coming from, but [with Cisco NAC] we can disable their access automatically. We can also enforce patches on Windows 2000/XP/Vista," says Quelch. But Cisco NAC constraints necessitate an incremental approach. "Since there is no Cisco agent for Linux, we're just using Web authentication there. And NAC can't keep up-to-date with every kind of virus protection, so we had to narrow our list to four [AV] programs," says Quelch.
No matter how users connect to the Norwich network, Cisco MARS monitors activities. "That was the missing piece--keeping track of who was connected to what. Now we can log security issues and be notified of attacks. If someone looks at illegal material, we can go back to see exactly what they did," says Quelch.
| ENABLING MOBILITY
Like Norwich, the government of Hamilton County in Indiana overhauled its remote access system to deal more efficiently and effectively with growth and expansion. However, Hamilton felt the pinch of its legacy IPsec VPN in different ways--beginning with mobility.
"It started with the sheriff's office," says Jeremy Hunt, one of four administrators responsible for Hamilton County's network. "Officers needed more information in the car to make better decisions. Knowing that we were going to need access to a new system in the sheriff's office, we looked for a solution that could provide better access for everyone."
Today, Hamilton County uses NetMotion Wireless to support mobile device access by not only the sheriff's office, but also police, firefighters, health inspectors, prosecutors and building inspectors. This mobile VPN was deployed about two years ago and has already expanded beyond the target population. "We're licensed for 200 clients and we're pushing that limit. Before, we didn't have a solution for many people due to cost, but now we can support more users, giving them access to different systems," says Hunt.
Originally, mobile sheriff's units used Verizon Wireless AirCards to reach the office via frame relay backhaul. "It wasn't an easy setup and we had to rely on users having some knowledge. It only worked for one application. It left those Verizon Wireless connections open to the Internet, which was a security concern. And clients had to have static IPs, which became a configuration nightmare," says Hunt.
Other county offices started with more traditional remote access. "Initially we used dial-up to get into one of our mainframes," says network administrator Mike Carter. "We also supported vendors and attorneys using analog modems. Eventually we moved to other platforms, ending up on a Cisco 3005 [IPsec] VPN."
The county issued RSA SecurID tokens for authentication. "That got to be cost-prohibitive as more people wanted access," says network administrator Chris Kuner. The token-based VPN client approach also became a big support concern. "We had to help users on a weekly basis, talking them through installation. It was a hassle for users, who had to connect to the Internet, then fire up the VPN client. And if they didn't secure [their laptop], who knows what they brought into our network."
| Improving Transparency
The county's NetMotion server was installed in one day. Domain authentication is now used instead of tokens, and administrators say users find the client very transparent.
"It's like logging in from your desk, whether you're [connected to] a home network or hotspot," says Kuner. "NetMotion chooses the fastest connection. When you unplug and go into the field, you don't have to close your application or restart NetMotion. You can close your laptop, go home for the weekend, and on Monday [when you log in to your laptop], your connections will still be there."
According to Hunt, session persistence has been a significant improvement. Whether connectivity is lost due to laptop suspension or network change, mobile VPNs work to avoid tunnel disconnection and the resulting user disruption. "We do have some dead spots where cars lose signal. NetMotion continues that application without interruption, whereas the VPN client would have dropped the tunnel and the user would have had to restart their VPN, their applications--everything."
After deployment, the county started thinking of new ways to use the mobile VPN. "For example, food inspectors can go to a facility, complete their inspection, type up a report right there at the facility, and print the report while still on-site," says Carter.
Initially, NetMotion users ran into problems in public networks that required Web login. The county created profiles to circumvent those issues and purchased NetMotion's Mobility XE Policy Management Module for more granular access control. "Rather than letting VPN clients have open access to our network, we can now give different groups access to different systems," says Hunt.
Hamilton still uses its old Cisco 3005, but repurposed that VPN to focus on vendor/administrator access and site-to-site tunnels. Attorneys were shifted onto a provider-hosted Web portal called Doxpop. "That's gotten us out of the loop, so we don't have to support lawyers," says Carter.
The county is now planning its next steps, including redundancy and virtual servers to facilitate disaster recovery. Although work remains, the team is pleased with its new strategy. "We've gotten more positive feedback on this [migration] than anything else we've done," says Carter. "We've even had old VPN users turn in their tokens and ask to be switched to NetMotion."
| FACILITATING EXPANSION
For Intermatic, a global manufacturer of energy control products, a combination of mergers, acquisitions and business expansion drove the company to update its remote access systems.
"We've been undergoing a massive transition, including new product development and en-trance to international markets. Sites that we acquired either had existing infrastructure or we had to build out new infrastructure," says Pete Revel, Intermatic senior project and technology manager. "The biggest challenge was collaboration and finding local integrators. We had to get away from traditional remote access--using firewalls to establish B2B and B2E tunnels--because we were too limited in terms of performance and who we could give access to."
To centralize control and respond more rapidly to workforce needs, Spring Grove, Ill.-based Intermatic this year migrated from a modem pool and a Cisco 3005 VPN to a Juniper SA4000 SSL VPN. "We have about 1,000 workers that will eventually have access to it," says Revel. "Right now we have about 250 users."
The SA4000 has become Intermatic's primary remote access method. "You just host the appliance, integrate critical business applications on the back end, and they're served up to the world," says Revel. "Now, we can just create an account for new users, point them to the right page, and they're in. We can literally have someone functioning within an hour if we've already done the integration for the applications they need."
Application integration turns out to be the piece that makes or breaks the deal when it comes to enabling access through an SSL VPN. SSL VPN appliances have evolved to where many now provide clientless and client-based access that can support a variety of applications, devices and users.
Intermatic chose the SA4000 because it can use dynamically downloaded Juniper Security Application Management (SAM) code to redirect application traffic through the SSL tunnel. Linux or MacOS clients use the Java SAM, while Windows clients use JSAM or the Windows ActiveX SAM.
"SAM provides a universal client to integrate with our back-end systems--for example, AS400 applications with 5350 terminal emulation," explains Revel. "SAM gives users a lightweight version of the back-end application. I would have liked to see SAM be a little more robust, but it still gives us a lot without having to install a VPN client. If you can point new users to a lightweight client, your success rate is going to be a lot higher."
Intermatic employees anywhere in the world can log in to the SA4000, authenticate through Active Directory and browse mainframe applications, invoked from a dashboard customized to each user. Before each connection is accepted, Juniper's Host Checker is launched and inspects the user's device for antivirus, the latest patches and other security protections.
In addition to SAM, Intermatic uses a handful of alternative remote access methods. The Juniper Network Connect client is used when legacy client-side applications like IBM iSeries require network layer tunnels. Juniper Secure Meeting is used to share desktops when collaborating with business partners that don't have VPN access.
Intermatic is a Juniper shop, but also uses F5 Networks' FirePass SSL VPN appliance to access Agile Software's Prod-uct Lifecycle Management application (Oracle bought Agile this year). "The F5 wraps native HTTP in SSL to present Agile to the world through a secure Web site," says Revel. Users can interact with Agile through a Web interface or download a Java Agile client.
Intermatic, Norwich and Hamilton County all started with the same legacy platforms, but made different choices when revamping remote access. Workforce, application, business goals and vendor preference affected those decisions. However, there are some common aspects to their choices.
None ended up with a single remote access solution. All combined platforms to satisfy diverse applications, users and devices. All tried to reduce complexity, whether to contain costs, cut administration or simplify user experience. And all tightened security through granular filters and/or endpoint scans--in two cases, by leveraging NAC.
In the future, remote access will be affected by advances like IP telephony, data/voice convergence and 4G wireless. With broader NAC adoption, the network perimeter will continue to fade, turning everyone into a "remote" user. Keeping pace with these changes will require further evolution. As these companies found, perhaps the best remote access strategy is one that doesn't hold you back and grows along with you.
- Windows 2012 Server Network Security –ComputerWeekly.com
- 7 Keys to Delivering Secure Remote Access –Citrix
- Secure Remote Access With Zscaler Private Access –Zscaler
- The Definitive Guide to Secure Remote Access –Zscaler