Remote access

SEC plans to roll out F5's FirePass SSL VPN technology, to secure communications with the agency's network.

Agencies that don't want to install Check Point's Connectra appliance, can buy the SSL VPN software separately.

How will agencies help teleworkers reach the mother ship? For years, the answer was IPSec, but SEC is heading in a different direction.

The Securities and Exchange Commission uses an IP Security virtual private network to provide workers with a remote connection to the SEC network. For years, IPSec has been the preferred means of secure Internet communications between offices.

'But it has a big price tag with it,' said Luis Toledo, a computer specialist in SEC's IT office.

SEC employees cannot use their home PCs to access the main network because network administrators can't be sure each employee's home PC has the proper security configurations. So the agency has issued 1,600 notebook computers, each with VPN client software.

'Now I have to get certificates to put on every laptop,' Toledo said. 'It gets complicated. How can I avoid buying a laptop for every user to have at home?'

The answer may be a VPN that uses the Secure Sockets Layer, the Web protocol for establishing authenticated and encrypted sessions between Web servers and browsers.

'The nice thing about SSL is that it is ubiquitous across computing,' said Timothy M. Clark, director of federal programs for F5 Networks Inc. of Seattle. Just about every desktop and notebook PCs, and many handheld devices, has a browser supporting SSL, and none requires client software for encrypting communications.

F5 makes a variety of networking hardware, including IP switches, firewalls and SSL VPN appliances. Now Toledo is testing F5's FirePass SSL VPN and slowly rolling it out to SEC users.

'Because it integrates with Active Directory, you can create your own account,' he said. 'Total cost of ownership is rocketing down.'

Overall, administrators are looking for more than simplicity in enabling remote access to networks.

'We're seeing a transition from just wanting to get people connected, to wanting to make them secure,' said Bill Jensen, VPN product marketing manager for Check Point Software Technologies Ltd. of Redwood City, Calif.

Rise of SSL-based remote access

SSL VPNs have been around for four years, but are just starting to take off.

'We see this year as the first year for mainstream adoption,' said Check Point's Jensen. In 2003, IPSec hardware sales were more than $2 billion, according to San Antonio-based research firm Frost and Sullivan. The SSL VPN market was $90 million. But industry projections call for as much as 140-percent market growth for SSL VPNs this year alone.

Driving the adoption of these new tools is the growing number of applications enabled for the Web and the increasing mobility of the workforce.

'Teleworking is becoming a big thing,' said SEC's Toledo. 'It's not just us.'
[IMGCAP(2)]
A federal survey last year found that only 14 percent of eligible employees telecommuted at least one day a week. But agencies are supposed to make the option of working away from the office at least part of each week available to all eligible employees this year. Toledo thinks the practice will grow.

'If the private sector is doing it, it's just a matter of time until the government does it,' he said.

In addition, managing client-side software and server-side controllers for IPSec VPNs is becoming a burden for IT shops such as SEC's. 'That takes manpower,' Toledo said. 'And that equates to dollars.'

VPNs typically secure the connection itself with an encrypted link. But recent releases of SSL VPNs, such as FirePass 5.4 and Connectra 2.0 from Check Point, also enforce configuration policy on the client and use a variety of encryption and cache cleaning techniques to remove artifacts of the session. One of the potential hazards of SSL VPNs is also one of its strengths: Users can access a network through any SSL-based Web browser, but if they do so from a public Internet kiosk, for example, they could end up leaving sensitive information in the system cache.

Toledo began testing FirePass on his home network in April. He liked the fact that it is a hardened appliance that does not use Microsoft software, so it does not have to be patched. It also eliminates the need for the IT staff to configure computers used for remote connections.

After testing, Toledo introduced FirePass first to his own tech staff. About 30 techies now use it for network administration.

'I don't think you should introduce anything to the community until you have a good understanding of the technical side,' he said.

FirePass incorporates load balancing and caching to ease network congestion. On the security side, it can distinguish trusted PCs from unknown computers and can scan the endpoint for security requirements such as updated antivirus software, firewalls, operating-system patches and registry settings. In many ways, these capabilities mirror those of established IPSec solutions.

'The middleware will protect the agency from you not having the proper equipment on your computer,' Toledo said.

SEC users of Windows XP can access a protected workspace. The workspace, within the Internet Explorer browser, limits where files can be written to and all temporary folders are deleted at the end of the session. Cache cleanup removes cookies, browser history and other artifacts of the session, and empties the recycle bin at the end of the session.

For password security, users are presented with a virtual on-screen keyboard and use their mice to log in. This eliminates the risk of key loggers stealing passwords.

'I think this box has a lot of potential,' Toledo said. He is ready to begin slowly introducing it to users outside the IT office.

FirePass has a base list price of $9,990, with the antivirus and personal firewall inspection module costing another $995.

Check Point's Connectra 2.0 offers similar endpoint security features, including a secure browser, cache cleaning, and endpoint checking for security configuration. It also disables spyware on the endpoint machine.

The latest release is offered in a software-only version as well as a hardware appliance. Some users prefer the convenience of an appliance that can be plugged into the system, and others prefer the software version so that they do not have to introduce a new box into a standardized environment, Jensen said.

Pricing starts at $10,000 for the appliance model and $8,000 for the software model.

Jensen said Check Point probably would seek Federal Information Processing Standard validation for the product but not Common Criteria certification, which often is a more lengthy, costly process.

'That is a large step for any vendor to take,' Jensen said.

Even so, agencies are likely to pay more attention to SSL VPN products in their effort to enable secure remote access without unnecessarily burdening IT budgets. Experts say SSL VPNs won't grow in popularity at the expense of IPSec VPNs. Instead, the remote-access market as a whole will continue to grow significantly, and each individual organization will have to weigh the pros and cons of existing remote-access technologies.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above