Lessons learned: SSL VPN
The Labor Department's Mine Safety and Health Administration has found that a virtual private network using Secure Sockets Layer encryption and authentication provides an adequate level of network access to remote workers without overburdening its IT support staff.
Because most Web browsers already support SSL, SSL VPNs require no additional client software, resulting in a technology easy to implement and to use. Here are some lessons learned by MSHA in selecting and implementing its solution.
- 'Make sure you select a product that is in compliance with federal standards,' said MSHA information security officer Syed Hafeez. Only one of the four products evaluated by MSHA had the required FIPS-140-2 validation, and some time and effort was wasted on products that could not make that cut.
- Make sure the technology meets your needs, and that the company is willing to work with you on training and implementation.
- 'You have to have a strategy to deal with your legacy applications,' said IT director George Fesak. SSL is a Web protocol, and some mechanism is needed to access applications that are not Web-enabled.
- Ensure that access policies are based on the user. Most remote-access products support policies defining access based on the identity or role of the user. But, 'you have to do a little bit of homework to figure out what levels of access you will allow people,' Fesak said.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.