SSL encrypted network traffic and Microsoft XP SP2 will protect PCs

BP's pilot project to provide network access to corporate applications for 2,000 staff is based on secure internet connections,...

BP's pilot project to provide network access to corporate applications for 2,000 staff is based on secure internet connections, where all network traffic is encrypted using secure socket layer (SSL) technology.

SSL is the protocol used in internet banking where home users are provided with a secure connection to a banking application. However, most businesses install a virtual private network to secure remote users.

Paul Dorey, director of global security at BP, said a VPN is no longer viable for BP. "Users need to sign up to the internet wherever they can find a connection. SSL is the only way to encrypt network traffic," he said.

The most popular type of VPN, based on the IPsec protocol, requires the installation of client technology to run on end-users' machines. This adds an increasingly unsustainable layer of management complexity, according to Jericho Forum members.

BP is a reference site for Microsoft Windows technology and the company is providing end-users with a standard PC configured with Windows XP and Office 2003 installed. Other applications are accessed through the browser.

Using the SSL capability within Office 2003, Dorey said end-users are able to collect e-mail as soon as they establish an internet connection.

One key advantage of this configuration is that it allows rapid security patching and updating. With the release of Microsoft XP Service Pack 2, many businesses are faced with the prospect of testing the upgrade with their desktop applications before rolling it out.

At BP users are currently being updated with Windows XP SP2 as they connect to the internet. Dorey said this sort of automated update presents few difficulties because the company's PCs only run a limited amount of software.

"The power of a non-complex client is that you can patch aggressively without worrying that Windows XP will fall over," he said.

Where BP needs to provide a direct link for users into the corporate network, Dorey has put in place a "device assurance management policy" to minimise the risk of an unpatched machine infecting the corporate network.

Several suppliers offer technology which prevents PCs that are not up-to-date from connecting to the corporate Lan.

To support this set-up, BP is evaluating InfoExpress Cybergatewaykeeper, MS Quarantine, NeoTeris and Cisco Network Admission Control.

Read more on Antivirus, firewall and IDS products