Mine safety agency secures the tunnel for remote users
SSL VPN has the security and low maintenance dispersed workers need
Juniper inherited the Secure Access line when it acquired NetScreen Technologies. The SA-3000 SSL VPN comes in a FIPS-compliant configuration.
The Labor Department's Mine Safety and Health Administration has 1,200 inspectors traveling around the country who rarely work in a MSHA office. Add to that the agency executives and administrators often working from home, and you have thousands of workers seeking remote access to the MHSA network.
Allowing remote access makes the remote PC a node on a network and raises a host of security problems, said MSHA security officer Syed Hafeez.
'We were concerned about extending the network to someone's house,' Hafeez said.
Providing connections that were both convenient for the end user and secure proved to be difficult. Providing those connections without overburdening the IT support staff seemed almost impossible.
The agency had servers in its offices in Arlington, Va., and Denver to allow dial-up connections.
'But those were dial-up speeds,' said IT director George Fesak. As employees became more used to high-speed Internet connections at home, they became more frustrated with dial-up speeds.
So in order to deliver high-speed connections, the agency turned to virtual private networking. A few users, on a case-by-case basis, were provided VPN connection using the IPSec protocols that provide encryption and security at the IP layer.
But this small group caused a 'world of grief for the support staff,' Fesak said. Client computers had to be loaded with VPN software and configured to use it properly. In some cases, this meant visiting the user's home. Maintenance and troubleshooting these clients was also a burden after they were configured, and even when everything was working properly it did not eliminate security concerns. If a remote client became compromised with malicious code, a VPN could allow that code into the network.
'A VPN is a secure tunnel for the rats to run through,' Fesak said. 'There was no way we could police that and still support problems with the clients.'
The solution was an SSL VPN, which uses the Secure Sockets Layer Web protocol for establishing authenticated and encrypted sessions between Web servers and Web clients.
'SSL is a clientless technology,' said Don Wheeler, solutions marketing manager for Juniper Networks Inc.'s Federal Systems division. 'Any Web browser can support an SSL VPN.'
MSHA eventually selected the Sunnyvale, Calif., company's Secure Access 3000 SSL VPN for its remote access needs.
The selection process began with the Enterprise Architecture initiative mandated by the Office of Management and Budget to ensure that IT programs support agency missions.
'We started an Enterprise Architecture project here in 2002,' Fesak said. 'We took it very seriously. We now have EA governance, in which all of our customers work with us to determine our priorities.'
In early 2003, Fesak said, 'the number-one need was to have a way for people with high-speed Internet connections to securely access the network without causing a lot of grief for the support staff.'
Funds for the project were allocated for fiscal 2004, and MSHA began evaluating four products. 'It was fairly obvious,' what the final choice should be, Fesak said.
One of the four was an IPSec VPN from Cisco Systems. 'Because we didn't like the traditional VPN, we decided not to use Cisco,' he said.
The remaining three products were SSL VPNs. Two of them were not certified to the Federal Information Processing Standard 140-2 for cryptographic modules. That left Juniper's Secure Access, which is FIPS-140-2 Level 2 validated. A pilot program with 200 users began in February 2005.
Because Web browsers already support SSL, no additional software is required on the client PC for an SSL VPN. Server and client authenticate each other using digital certificates on the devices and establish an encrypted session transparent to the user. The client and server negotiate the level of cryptography to be used, settling on the highest level available to both. A dialog box is pushed to the client PC to authenticate the user and enable access to the agency's resources.
MSHA uses the Secure Access 3000, which supports up to 2,500 simultaneous sessions. It is a rack-mounted appliance that is placed behind the firewall to receive connection requests.
It can support levels of user authentication from simple user name and password to multifactor authentication and digital certificates, Wheeler said. It also supports access policies defined by administrators and can 'white list' trusted locations. An employee connecting from a home computer might be given a greater level of access, for instance, than one connecting from an unmanaged public wireless access point. Configuration and status policies for the client PC also can be enforced to ensure that infected or unprotected PCs are not given access.
The major limitation to an SSL VPN is its reliance on the Web browser for access.
'There is definitely still a place for IPSec VPNs,' Juniper's Wheeler said. 'Where SSL VPNs make the most sense is where they are trying to allow particular persons access to applications.'
In fact, this aspect of SSL VPN presents some problems at MSHA. 'It's really more a reflection of where we are with IT in this agency than of the product,' Fesak said. 'Not all of our applications are Web-based.'
Access to non-Web applications requires the use of terminal services, which push a 400K Active X client to end users.
All new applications at MSHA are Web-enabled, but enabling legacy applications will depend on when the money is available.
MSHA began making the SSL VPN available to its 2,200 eligible employees in April.
User authentication is done by user name and password entered in the browser now, but a pilot is under way to test stronger, two-factor authentication using SecurID from RSA Security Inc. of Bedford, Mass. This is a token that generates a new passcode every 60 seconds that is used in conjunction with a password. The passcode is verified using RSA Authentication Manager and Authentication Agent software.
'We'd eventually like to go with two-factor authentication for everybody,' Fesak said. So far there have been no problems with the two-factor system. 'I was afraid we'd have stability problems, but it has been stable.'