How do you guarantee end-users the required level of access while making sure that networks and applications are protected by robust security? Arif Mohamed looks at how two organisations have solved the puzzle
IT security can enable a business to improve operational efficiency and give staff flexible access to corporate IT resources.
However, there are technical and cultural barriers that must be overcome if a project is to be successfully rolled out across a business where IT security is a major factor.
The multi-faceted nature of enterprise security means that any security project must be planned and implemented carefully, as illustrated by the following case studies.
How ADP took the Cisco route
ADP is one company that has implemented an enterprise-wide security project from the ground up. ADP provides payroll and human resources administration services to other companies, and because it deals with other peoples’ information on its own systems, security is particularly important.
ADP’s project to upgrade its Cisco network and implement “future-proof” secure wireless working was combined with an office move and, unusually, the IT team was given only six weeks to carry out the IT project, including three weeks of planning and three weeks of testing.
As part of the project, ADP deployed a fixed Cisco IP network at its new UK headquarters in Chertsey, with several layers of security.
ADP uses Cisco Security Agent to analyse network behaviour and protect the company’s servers against breaches from worms and viruses, rather than using an updated database of threats.
ADP also incorporated Cisco’s Network Admission Control (NAC) technology. NAC is embedded in the Cisco networking infrastructure, and enforces security policy compliance on all devices that try to access network resources.
The system can ensure that remote workers who are trying to access the network are authentic.
NAC is built on two core products. The first is an NAC server security appliance, based on Cisco’s Clean Access product line.
This acts as a network watchman, only allowing network access to compliant and trusted endpoint devices, such as PCs, servers, and PDAs, and restricting the access of noncompliant devices.
The second product is the NAC Framework, which communicates with anti-virus and other security and management software from about 75 suppliers, providing an “intelligent network infrastructure” that can deal with security threats in a coordinated way.
The NAC technology is particularly effective in protecting remote workers’ laptops, said Mike Smith, technical support manager at ADP, and is used in combination with Cisco Trust Agent – client software that is a core component of NAC.
“We like the idea that NAC, or Cisco Trust Agent, checks the laptop and says, ‘Are your anti-virus and patch levels up to date? Yes or no?’ and puts you in our mediation area while it does this. It gives us safety around our laptops.”
The wireless system allows laptops to connect to the network using Cisco’s Secure Wireless Blueprint, an IT plan that employs Cisco Catalyst switches and the Cisco Trust Agent on each laptop.
Wireless users have to enter a password to access the network, which is termed user-base authentication. ADP chose this over machine-based authentication because it brought
ADP also uses Cisco technologies to encrypt all wireless traffic and detect and pinpoint rogue wireless access points in and around the offices.
Smith said the firm chose the system mainly for its scalability and the fact it allowed workers to roam between floors and not lose their connection. ADP plans to roll out IP phones within the next 18 months, and the infrastructure will support this.
“Our main constraint was time,” said Smith. “Whatever solution we picked had to be available and implemented quickly – from signing the contract to going live we only had six weeks,” he said.
The main technical problems ADP faced concerned older laptops that did not support the Extensible Authentication Protocol (EAP), an authentication framework used to secure wireless networks.
It depended on the chipsets the laptops used. “On some we upgraded the wireless cards, on others we used a software client on top. It was mentioned by our partner that we should make sure we did a double and triple check, but we had other things to worry about at the time,” said Smith. As a result, the IT department had to check and update 150 laptops.
However, Smith said the wireless connection was seamless once it was up and running.
“The machines take slightly longer to authenticate to the network, about 30 seconds on start-up. The main thing is if you log in too soon, your log-in script does not work, but most staff have got used to this,” he said.
The main lesson ADP learned, apart from the fact that a secure network project could be completed in just six weeks, was not to skimp on the upfront auditing of the laptops and to make sure they supported the chosen protocol. “That was our main headache – laptops not connecting,” said Smith.
However, now the secure wired and wireless network is in place, ADP’s IT team is able to give visitors to the building guest access to the internet from their laptops by generating a security token.
“This is very well perceived by clients,” said Smith, who added that visitors cannot gain access to the internal network because it runs on a secure and separate network.
Durham’s security go-between
Durham County Council needed to bolster its security for when remote workers accessed applications and information on its intranet. The main driver for implementing new technology was a requirement from its partner, the NHS.
The council chose the Netilla Security Platform (NSP) from AEP Networks. This is termed a Secure Sockets Layer (SSL) virtual private network (VPN) gateway, and is a hardware server appliance.
It acts as a go-between for workers using corporate resources remotely, and the applications. It authenticates users, encrypts the traffic and gives the users only what they require, while limiting their network access. Users can access applications remotely from any web browser, provided they input their user name and password.
Keith Hollins, infrastructure support manager at Durham, says, “It allows us to have secure communications between ourselves and external sources.
“We have a broad partnership with the NHS. They utilise the system for patient care. One of the prerequisites was that the NHS wanted the connection to be very secure. They wanted to ensure their systems were not vulnerable.”
The council needed to replace its thin client remote access system, which was struggling due to increased traffic and usage. The way it had been implemented meant it was not very scalable, says Hollins.
Of the SSL VPNs available, the NSP came in at £20,000 including a failover server and a concurrent licence for 50 users. This was priced well against the competition.
Hollins was looking for a system with a low cost of ownership, which required very little training to use. It had to use fewer network ports than the previous system, so it could be more secure.
The NSP only needs one port open, over a private network rather than the internet, which means it is even more secure.
“While open source solutions were available, the time required to deliver a solution was not, as we were under pressure to deliver immediately. We needed something that was proven and easy to implement,” says Hollins.
Durham went live in December 2005 with the NSP, which was set up by systems integrator Enforce Technology. The secure access system was configured to give workers access to Lotus Notes e-mail and the intranet, which is hosted on a Lotus Domino server.
It also gives some health professionals access to information via two applications: an Oracle database query tool called Discovery, and the Oracle-based social services information database (SSID).
These two social care systems are used in-house for delivering adult and children services.
One of the challenges was getting the browser access to SSID to work. “We had found that the SSID solution was not straightforward to deliver to remote devices, and this was a challenge that needed to be overcome,” says Hollins.
The SSID application was based on Oracle Forms. Durham’s IT team wrote a Sun Java applet to replace the Oracle JInitiator code on the browser.
JInitiator enables end-users to run Oracle Developer Server applications directly from Netscape Navigator or Internet Explorer.
“When problems arose with the SSID solution, time could have been spent analysing the ports and types of communications that were preventing it from working using the solution’s native version of Java, but we had to come up with something fast. Changing the solution to use Sun Java enabled the application to work fine,” says Hollins.
However, not having to pre-install client software at the browser meant that workers could get instant connectivity, enabling the council to meet its project deadline.
Durham’s criteria was whether end-users would find the secure remote access system easy to use, says Hollins, and fortunately, they did. When users log on via their browsers and input their name and password, they are then faced with just two icons for the applications they require.
“We have users in the NHS and the council who have little time to spare for learning new systems. Therefore the solution had to be intuitive and easy to use to ensure we got immediate buy-in from those users,” says Hollins.
“We provide services to organisations that are responsible for the public’s health and safety and we require safeguards in place should the worst happen. However, even with the growing number of users there has been no performance degradation and the solution has proved reliable and stable.”
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats