As the use of remote access grows across government, concerns about potential data leaks and other network intrusions rise commensurately. But there are ways to make sure that your agency's data and networks are safe.
The answer builds on the use of virtual private networking. Agencies have used VPNs for nearly a decade to provide secure remote access to their users via desktop and notebook PCs.
Now, agencies are looking to Secure Sockets Layer (SSL) encryption and tunneling to give users of handheld devices wireless access to agency data, by creating VPNs.
Take the Bureau of Reclamation, for instance. "We employ a layered perimeter defense scheme, which includes tunneling technology for remote user access," says Pam Hajny, deputy CIO for policy, security and planning at the Interior Department bureau.
In a common use of VPN tunneling, an agency encapsulates its private information for transmission across a public network. Paired with encryption, such tunnels make it possible to securely send even sensitive data without fear that a roving network sniffer will nab it.
Using encryption to create a secure tunnel means that even if your agency's traffic is intercepted, it can't be read. Agencies typically have used VPNs based on the IP Security Protocol (IPsec) to provide secure connections between locations and for employees using desktop and notebook computers remotely. But IPsec requires a software client on a user's device to create the VPN and a VPN appliance or server on an agency's end.
The newest small portable devices, such as personal digital assistants, high-end cellular phones and messaging handhelds, present a different challenge for agencies because systems administrators cannot fully control them remotelyÂand it might not always be possible to install the necessary IPsec client software. So an IPsec VPN is not always an appropriate or available option.
Remote users of handhelds want to be able to hook up via wireless hotspots, ship files over the Internet and communicate using telecommunications carriers' public cellular networks.
SSL tunneling makes that possible, giving users access to a VPN portal hosted on an agency's Web server.
The Commerce Department is wrestling with just this problem, says William Lay, its director of IT security, infrastructure and technology.
"We are looking at secure access solutions for remote devices where we don't have control over them or where there may not be an IPsec client to load on the device," he says.
The department is exploring SSL VPNs because it wants "to see how useful we can make smaller devices, finding ways to provide content to smaller displays without the user having to scroll down excessively," Lay says.
There are a number of reasons that SSL VPNs make sense for mobile users who need access to e-mail, the Web and their agencies' applications:
The problem comes when the pre-installed clients on handheld devices are not compatible with an agency's existing VPN gateway, says Joel Snyder, a senior partner with IT consulting firm Opus One in Tucson, Ariz.
But one of the bonuses is that some VPN SSL applications can rescale e-mail, Web sites and even an agency's own programs for decent viewing on the small screens commonly found on handhelds.
"A Web browser arguably gives you a universal client built in," says John Gray, VPN portfolio brand manager for Nortel Networks of Brampton, Ontario.
"Suppose you're at somebody else's house, and your pager goes off," Snyder says. "If you can borrow any device with a browser on it, you can check your e-mail safely and avoid having to drive back to your computer or office. That's a perfect use for SSL VPNs."
A VPN tunnel created using IPsec gains access to an agency's network at Layer 3 of the Open Systems Interconnection stack. That's the network layer, the same one used by routers and some switches, and it extends the full network to a user's device. That level of access means worms, viruses and other malware can now exploit security vulnerabilities and penetrate the agency's mail and file servers.
An SSL VPN's access is less far-reaching. It connects at the application layer: OSI Layer 7. The VPN portal acts as a proxy, intercepting all requests and relaying them to the network's internal resources.
"Many people who are concerned with security don't want a full network connection like an IPsec VPN provides because if a user doesn't have the proper security in place for firewalls, and a layered defense, they're at such a low level networkwise that their computer potentially could be a threat," Nortel's Gray says.
Ultimately, it comes down to what an agency needs to provide in the way of applications to its users, Snyder of Opus One notes.
"The downside of SSL is you don't get full network access, but that's often not required nowadays. It's only needed for specific applications," he says, but adds, "Every SSL vendor has some workaround that lets you, on a fairly broad spectrum of applications, do that through SSL VPNs."