Computerworld - I've written in the past about my struggle to offer safe, cheap remote access to our users. One approach that worked well was using a virtual private network (VPN).
We could have used the VPN tools included in our firewall, but I'm from the old school of information security that says it's safer to keep components as distinct and simple as possible. So we used a VPN 3000 Series Concentrator from Cisco Systems Inc.
The only problem with the concentrator is that it lacks a few of the features of the Cisco IOS operating system that I've come to expect, such as the Cisco Terminal Access Controller Access Control System security protocol that authenticates administrator access. The VPN box comes from one of Cisco's acquisitions, so I'm hoping the company will add these features in the next release.
On the upside, the concentrator supports our SecurID system for user authentication, and the client software is well supported and works fine. Cisco claims that the system is compatible with the IPsec protocol and that we should be able to use any IPsec implementation. For now, we'll ease support worries and stick with end-to-end Cisco parts.
This was ticking over nicely until we added a few test users. The tests went well, but our users included a product development manager for some of the financial systems we offer to our customers. At the time, these systems were very secure, running on private dedicated circuits with very tight access control and monitoring. However, deploying our equipment to their sites and ordering a leased line to one of our points of presence was very slow and expensive.
The product development group would love to offer free trials of our services to potential customers. Once the product manager saw the VPN service, she realized we could do this quickly and at a low cost. Suddenly, all the equipment we configured for home-support access was taken away to develop this new service.
I'm glad to say we've been included from the beginning. The need for swift time to market and low cost hasn't increased the risks we'll accept. We're using SecureID to authenticate customers, although it takes a few days to generate the tokens and send them out. We've built a three-tier architecture to bring the untrusted outside connections to nearly the same level of assurance as our dedicated lines.
The first firewall filters connections to just IPsec to the outside of the VPN 3000. The inside interface to the box is protected with a firewall that allows access to only our application and the midtier services that application requires. The midtier server is then restricted to seeing only the internal devices it needs to offer the financial service.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
