NTIA implements secure VPN for remote users

NTIA implements secure VPN for remote users

After a pilot, the Commerce Department agency plans to expand network access worldwide

By Drew Robb

Special to GCN

As part of its Digital Department initiative, the Commerce Department's National Telecommunications and Information Administration is implementing a secure virtual private network. The new VPN will grant secure remote access to NTIA users domestically and internationally, officials said.

VPN usage is experiencing dramatic growth in the private sector. According to Infonetics Research of San Jose, Calif., worldwide revenue from VPN hardware is expected to rise from $303 million in 1998 to $2.25 billion in 2003. Due to security concerns, however, VPNs have been slower to catch on in government circles.

Access control

'Our biggest challenge in this project is security,' said Roger Clark, Network and Technical Services Branch chief in NTIA's Office of Spectrum Management. 'This system allows us to centrally control access while permitting remote users to send and receive sensitive information.'

OSM regulates the use of the radio spectrum by federal agencies. It does for the government what the Federal Communications Commission does for the private sector. OSM first piloted the VPN on a small scale. Five users implemented it both locally and remotely to test its capabilities.


NTIA designed its VPN with security in mind, says the Office of Spectrum Management's Roger Clark.


The system is built on four core components: a Novell NetWare 5.0 operating system; network management capabilities added by Novell Directory Services (NDS) Version 8.0; Novell's BorderManager, which acts as the VPN; and Novell GroupWise, which has been added to enhance international collaboration, officials said.

OSM has used NetWare for at least 14 years for such security features as encrypted routers for passing IP data.

BorderManager is a software suite that adds VPN functionality. It lets the department move sensitive information to notebook PCs securely and expand the OSM network beyond Washington headquarters. It includes firewall services and authentication procedures to prevent unauthorized access.

Typically, BorderManager Enterprise Edition is purchased as a management suite that comprises BorderManager Firewall Services 3.5, BorderManager VPN Services 3.5 and BorderManager Authentication Services 3.5.

For customers in a licensing program, BorderManager Enterprise Edition is $43 per user.

'Securing the environment from an outside hacker was a major concern of NTIA,' said Beth Kandianis, a Novell account executive. 'OSM's VPN streamlines security without adding overhead to the network.'

Before implementing the new VPN, OSM had no way to safely bring remote users into the system; more than 50 percent of its staff is regularly in the field, often out of the country.

BorderManager uses Secure Sockets Layer and public-key infrastructure to remove such problems. Remote users dial in via an Internet service provider and are forwarded via a secure datalink to the OSM network. If an individual provides the right public key, an encrypted circuit lets the user log in, though at a slower rate than normal over a public switched telephone network.

OSM has added one server exclusively for PKI certificate management. If a certificate is ever compromised, it can be changed on the fly.

Due to OSM's mixed computing environment, NDS plays a critical role in the overall success of the VPN. With HP-UX, SunSoft Solaris, Windows NT and 2000, NetWare 5.0 in place within the agency, integration issues were carefully addressed during the pilot, officials said. NDS lets IT staff authenticate users and centrally manage each user account from one console, regardless of the platform.

NDS also enables the management of security filters to firewalls and the VPN, though it only grants access to unclassified systems. Classified systems are standalone and remain outside the VPN. Classified data will remain under exclusive internal management.

NDS' e-Directory is a new feature that extends outside the firewall, and manages both the people and the information coming into OSM. Previously, IT staff had to separately launch several applications to change security settings for each user.

Focal point

'Now I have a single point of administration to manage all users from one screen, no matter where they are,' Clark said. 'I'm able to lock out users at certain times, for instance, or control who gets to see what information.'

The final ingredient in the VPN is Novell GroupWise, a cross-platform collaboration and messaging system that communicates across intranets and the Internet. This component makes it easier for staff members traveling overseas to gain access to information in their own offices, as well as communicating securely with colleagues.

With each of these elements in place, OSM piloted the system for several months among a select group of users.

'Our overall goal was to ensure users could securely log in and remotely access our nonclassified systems,' Clark said. 'Now that it has passed, we are extending the VPN to all 125 users within OSM.'

The Novell system will eventually be implemented throughout OSM. During 2001, an extranet VPN pilot will encompass the various federal agencies that are OSM customers on radio frequency matters, such as the Army, Navy, and the Interior and Treasury departments.

Once completed, these organizations could connect to certain portions of the OSM network via an extranet to obtain data and apply for new radio frequencies.

Clark expects this extranet to considerably reduce the current printing and paperwork distribution duties within his office. Downloading monthly reports, for instance, could save OSM a couple of days a month in labor alone, while delivering the data in a more secure and rapid fashion.

What part will this project play in the accomplishment of Commerce's Digital Department objectives? Although VPN testing has been confined to OSM so far, the ultimate goal is to extend it throughout NTIA and possibly Commerce.

'This pilot is being evaluated for the entire department,' Clark said. 'All of NTIA and other agencies within the DOC are watching what we are doing with interest.'

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above