How do you guarantee end-users the required level of
access while making sure that networks and applications are
protected by robust security? Arif Mohamed looks at how
two organisations have solved the puzzle
IT security can enable a business to improve operational
efficiency and give staff flexible access to corporate IT
resources.
However, there are technical and cultural barriers that must be
overcome if a project is to be successfully rolled out across a
business where IT security is a major factor.
The multi-faceted nature of enterprise security means that any
security project must be planned and implemented carefully, as
illustrated by the following case studies.
How ADP took the Cisco route
ADP is one company that has implemented an enterprise-wide security
project from the ground up. ADP provides payroll and human
resources administration services to other companies, and because
it deals with other peoples’ information on its own systems,
security is particularly important.
ADP’s project to upgrade its Cisco network and implement
“future-proof” secure wireless working was combined with an office
move and, unusually, the IT team was given only six weeks to carry
out the IT project, including three weeks of planning and three
weeks of testing.
As part of the project, ADP deployed a fixed Cisco IP network at
its new UK headquarters in Chertsey, with several layers of
security.
ADP uses Cisco Security Agent to analyse network behaviour and
protect the company’s servers against breaches from worms and
viruses, rather than using an updated database of threats.
ADP also incorporated Cisco’s Network Admission Control (NAC)
technology. NAC is embedded in the Cisco networking infrastructure,
and enforces security policy compliance on all devices that try to
access network resources.
The system can ensure that remote workers who are trying to
access the network are authentic.
NAC is built on two core products. The first is an NAC server
security appliance, based on Cisco’s Clean Access product line.
This acts as a network watchman, only allowing network access to
compliant and trusted endpoint devices, such as PCs, servers, and
PDAs, and restricting the access of noncompliant devices.
The second product is the NAC Framework, which communicates with
anti-virus and other security and management software from about 75
suppliers, providing an “intelligent network infrastructure” that
can deal with security threats in a coordinated way.
The NAC technology is particularly effective in protecting
remote workers’ laptops, said Mike Smith, technical support manager
at ADP, and is used in combination with Cisco Trust Agent – client
software that is a core component of NAC.
“We like the idea that NAC, or Cisco Trust Agent, checks the
laptop and says, ‘Are your anti-virus and patch levels up to date?
Yes or no?’ and puts you in our mediation area while it does this.
It gives us safety around our laptops.”
The wireless system allows laptops to connect to the network
using Cisco’s Secure Wireless Blueprint, an IT plan that employs
Cisco Catalyst switches and the Cisco Trust Agent on each
laptop.
Wireless users have to enter a password to access the network,
which is termed user-base authentication. ADP chose this over
machine-based authentication because it brought
additional security.
ADP also uses Cisco technologies to encrypt all wireless traffic
and detect and pinpoint rogue wireless access points in and around
the offices.
Smith said the firm chose the system mainly for its scalability
and the fact it allowed workers to roam between floors and not lose
their connection. ADP plans to roll out IP phones within the next
18 months, and the infrastructure will support this.
“Our main constraint was time,” said Smith. “Whatever solution
we picked had to be available and implemented quickly – from
signing the contract to going live we only had six weeks,” he
said.
The main technical problems ADP faced concerned older laptops
that did not support the Extensible Authentication Protocol (EAP),
an authentication framework used to secure wireless networks.
It depended on the chipsets the laptops used. “On some we
upgraded the wireless cards, on others we used a software client on
top. It was mentioned by our partner that we should make sure we
did a double and triple check, but we had other things to worry
about at the time,” said Smith. As a result, the IT department had
to check and update 150 laptops.
However, Smith said the wireless connection was seamless once it
was up and running.
“The machines take slightly longer to authenticate to the
network, about 30 seconds on start-up. The main thing is if you log
in too soon, your log-in script does not work, but most staff have
got used to this,” he said.
The main lesson ADP learned, apart from the fact that a secure
network project could be completed in just six weeks, was not to
skimp on the upfront auditing of the laptops and to make sure they
supported the chosen protocol. “That was our main headache –
laptops not connecting,” said Smith.
However, now the secure wired and wireless network is in place,
ADP’s IT team is able to give visitors to the building guest access
to the internet from their laptops by generating a security
token.
“This is very well perceived by clients,” said Smith, who added
that visitors cannot gain access to the internal network because it
runs on a secure and separate network.
Durham’s security go-between
Durham County Council needed to bolster its security for when
remote workers accessed applications and information on its
intranet. The main driver for implementing new technology was a
requirement from its partner, the NHS.
The council chose the Netilla Security Platform (NSP) from AEP
Networks. This is termed a Secure Sockets Layer (SSL) virtual
private network (VPN) gateway, and is a hardware server
appliance.
It acts as a go-between for workers using corporate resources
remotely, and the applications. It authenticates users, encrypts
the traffic and gives the users only what they require, while
limiting their network access. Users can access applications
remotely from any web browser, provided they input their user name
and password.
Keith Hollins, infrastructure support manager at Durham, says,
“It allows us to have secure communications between ourselves and
external sources.
“We have a broad partnership with the NHS. They utilise the
system for patient care. One of the prerequisites was that the NHS
wanted the connection to be very secure. They wanted to ensure
their systems were not vulnerable.”
The council needed to replace its thin client remote access
system, which was struggling due to increased traffic and usage.
The way it had been implemented meant it was not very scalable,
says Hollins.
Of the SSL VPNs available, the NSP came in at £20,000 including
a failover server and a concurrent licence for 50 users. This was
priced well against the competition.
Hollins was looking for a system with a low cost of ownership,
which required very little training to use. It had to use fewer
network ports than the previous system, so it could be more
secure.
The NSP only needs one port open, over a private network rather
than the internet, which means it is even more secure.
“While open source solutions were available, the time required
to deliver a solution was not, as we were under pressure to deliver
immediately. We needed something that was proven and easy to
implement,” says Hollins.
Durham went live in December 2005 with the NSP, which was set up
by systems integrator Enforce Technology. The secure access system
was configured to give workers access to Lotus Notes e-mail and the
intranet, which is hosted on a Lotus Domino server.
It also gives some health professionals access to information
via two applications: an Oracle database query tool called
Discovery, and the Oracle-based social services information
database (SSID).
These two social care systems are used in-house for delivering
adult and children services.
One of the challenges was getting the browser access to SSID to
work. “We had found that the SSID solution was not straightforward
to deliver to remote devices, and this was a challenge that needed
to be overcome,” says Hollins.
The SSID application was based on Oracle Forms. Durham’s IT team
wrote a Sun Java applet to replace the Oracle JInitiator code on
the browser.
JInitiator enables end-users to run Oracle Developer Server
applications directly from Netscape Navigator or Internet
Explorer.
“When problems arose with the SSID solution, time could have
been spent analysing the ports and types of communications that
were preventing it from working using the solution’s native version
of Java, but we had to come up with something fast. Changing the
solution to use Sun Java enabled the application to work fine,”
says Hollins.
However, not having to pre-install client software at the
browser meant that workers could get instant connectivity, enabling
the council to meet its project deadline.
Durham’s criteria was whether end-users would find the secure
remote access system easy to use, says Hollins, and fortunately,
they did. When users log on via their browsers and input their name
and password, they are then faced with just two icons for the
applications they require.
“We have users in the NHS and the council who have little time
to spare for learning new systems. Therefore the solution had to be
intuitive and easy to use to ensure we got immediate buy-in from
those users,” says Hollins.
“We provide services to organisations that are responsible for
the public’s health and safety and we require safeguards in place
should the worst happen. However, even with the growing number of
users there has been no performance degradation and the solution
has proved reliable and stable.”
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats