Dec 31 2009

A New Twist on an Old Tool: Virtual Private Networking

Let users of mobile wireless devices at your agency connect securely.

Photo: Randall Scott
Commerce is exploring Secure Sockets Layer VPNs because it wants "to see how useful we can make smaller devices," the department's William Lay says.

As the use of remote access grows across government, concerns about potential data leaks and other network intrusions rise commensurately. But there are ways to make sure that your agency's data and networks are safe.

The answer builds on the use of virtual private networking. Agencies have used VPNs for nearly a decade to provide secure remote access to their users via desktop and notebook PCs.

Now, agencies are looking to Secure Sockets Layer (SSL) encryption and tunneling to give users of handheld devices wireless access to agency data, by creating VPNs.

Take the Bureau of Reclamation, for instance. "We employ a layered perimeter defense scheme, which includes tunneling technology for remote user access," says Pam Hajny, deputy CIO for policy, security and planning at the Interior Department bureau.

In a common use of VPN tunneling, an agency encapsulates its private information for transmission across a public network. Paired with encryption, such tunnels make it possible to securely send even sensitive data without fear that a roving network sniffer will nab it.

Using encryption to create a secure tunnel means that even if your agency's traffic is intercepted, it can't be read. Agencies typically have used VPNs based on the IP Security Protocol (IPsec) to provide secure connections between locations and for employees using desktop and notebook computers remotely. But IPsec requires a software client on a user's device to create the VPN and a VPN appliance or server on an agency's end.

The newest small portable devices, such as personal digital assistants, high-end cellular phones and messaging handhelds, present a different challenge for agencies because systems administrators cannot fully control them remotely—and it might not always be possible to install the necessary IPsec client software. So an IPsec VPN is not always an appropriate or available option.

Remote users of handhelds want to be able to hook up via wireless hotspots, ship files over the Internet and communicate using telecommunications carriers' public cellular networks.

SSL tunneling makes that possible, giving users access to a VPN portal hosted on an agency's Web server.

The Commerce Department is wrestling with just this problem, says William Lay, its director of IT security, infrastructure and technology.

"We are looking at secure access solutions for remote devices where we don't have control over them or where there may not be an IPsec client to load on the device," he says.

The department is exploring SSL VPNs because it wants "to see how useful we can make smaller devices, finding ways to provide content to smaller displays without the user having to scroll down excessively," Lay says.

Smart Link

There are a number of reasons that SSL VPNs make sense for mobile users who need access to e-mail, the Web and their agencies' applications:

  • No additional client software is needed. All browsers—even the micro-browsers on small handheld devices—include SSL functions to establish a secure VPN connection to an SSL server at an agency. For an IPsec VPN, an agency must select, buy and install VPN software on all mobile users' systems, plus configure and support the application.
    Five Things to Do Before Adopting a Secure Sockets Layer VPN
    Make sure your end-user systems are certified under Federal Information Processing Standard 140-2; the government requires that agencies buy wireless devices that meet this standard for handling sensitive but unclassified information.
    Test to make sure the SSL VPN works with your agency's applications—that it can translate a particular program's HyperText Markup Language code correctly, for instance.
    Set a policy for end-point security. Before you deploy the VPN, decide what limits your agency will place on client devices that connect to the network.
    Run client integrity scans, programs provided by some VPN and configuration management packages to check a device's security levels every time a user logs on.
    Decide on the parameters to authenticate users seeking access to data via the VPN; use an application that will automatically downgrade a user's access privileges if the integrity scan finds that security protections are inadequate or not up-to-date.

    The problem comes when the pre-installed clients on handheld devices are not compatible with an agency's existing VPN gateway, says Joel Snyder, a senior partner with IT consulting firm Opus One in Tucson, Ariz.

    But one of the bonuses is that some VPN SSL applications can rescale e-mail, Web sites and even an agency's own programs for decent viewing on the small screens commonly found on handhelds.

  • Web browsers provide access that is sufficient for many user needs. Browsers are nearly universal clients, sufficient for accessing e-mail, intranets and many applications.

    "A Web browser arguably gives you a universal client built in," says John Gray, VPN portfolio brand manager for Nortel Networks of Brampton, Ontario.

  • The system from which a user accesses the VPN portal is irrelevant. When remote users connect to the portal, they gain access through an authentication screen, which in turn lets them connect only to services to which they have privileges.

    "Suppose you're at somebody else's house, and your pager goes off," Snyder says. "If you can borrow any device with a browser on it, you can check your e-mail safely and avoid having to drive back to your computer or office. That's a perfect use for SSL VPNs."

  • Because the handheld devices connect to a VPN portal, the SSL connection limits the exposure of an agency's systems to tampering.

    A VPN tunnel created using IPsec gains access to an agency's network at Layer 3 of the Open Systems Interconnection stack. That's the network layer, the same one used by routers and some switches, and it extends the full network to a user's device. That level of access means worms, viruses and other malware can now exploit security vulnerabilities and penetrate the agency's mail and file servers.

    An SSL VPN's access is less far-reaching. It connects at the application layer: OSI Layer 7. The VPN portal acts as a proxy, intercepting all requests and relaying them to the network's internal resources.

    "Many people who are concerned with security don't want a full network connection like an IPsec VPN provides because if a user doesn't have the proper security in place for firewalls, and a layered defense, they're at such a low level networkwise that their computer potentially could be a threat," Nortel's Gray says.

    Ultimately, it comes down to what an agency needs to provide in the way of applications to its users, Snyder of Opus One notes.

    "The downside of SSL is you don't get full network access, but that's often not required nowadays. It's only needed for specific applications," he says, but adds, "Every SSL vendor has some workaround that lets you, on a fairly broad spectrum of applications, do that through SSL VPNs."