Security brought to light: IPSec VPN provides users with either Web-delivered "thin client" or clientless browser access

Communications News,  Jan, 2008  

• E-mail
• Print
• Link

Like many rapidly growing retailers, Seattle Lighting has had to ramp up its technology to meet its expanding business goals. The secret, says IT manager Pat Beemer, is in finding solutions that users will adopt--and IT can deploy--without creating more problems than they solve.

Over the past 90 years, Seattle Lighting has established itself as a leading supplier of lighting fixtures and accessories in the Pacific Northwest. In addition to six Seattle-area locations and a clearance outlet, the company now operates six showrooms near Portland, another in Boise, Idaho, and an online e-commerce brand (DestinationLighting.com).

[ILLUSTRATION OMITTED]

With its rapid growth and expansion, the retailer realized a need for its executive and administrative staff, inside and outside sales representatives, store managers, and key business partners to obtain secure remote access to mission-critical resources.

The company's primary remote access need is for the distribution-management system--crucial to Seattle Lighting's operations--hosted on a backend IBM RS/6000. Secondary needs include remote access to document files, e-mail, accounting applications and support for the e-commerce Web site.

Seattle Lighting originally provided remote access to its distribution-management system using terminal emulation via telnet, which presented security vulnerabilities at the firewall. With its rapidly expanding PC inventory and upgrades to its network infrastructure, however, the company retired the legacy VAX system and migrated from character-based terminal services to a Windows-based approach.

FIREWALL NOT ENOUGH

To provide virtual private network (VPN) access to distribution management and other business resources, Seattle Lighting deployed a Watchguard Firebox firewall with integrated IPSec VPN functionality. The outside sales team was the first group to use the VPN, but because IPSec required a resident "fat" client on the endpoint device, the IT staff immediately ran into the type of configuration and conflict issues often encountered when extending IPSec VPNs beyond IT-controlled site-to-site environments.

"One of our top reps tried to access the system from a home computer when it crashed," says Beemer. "After a day of troubleshooting on a three-way conference call with Watchguard, we had to wipe the PC clean the next day just to get it restarted.

"With the configuration problems, I had to hold back on offering remote access for many of the use-cases that were driving the need in the first place. It was clear we needed to look at alternatives."

Then Seattle Lighting's solution provider, Network Computing Architects, suggested an SSL VPN solution from Aventail (now SonicWALL Aventail).

SSL VPNs do not require the installation or configuration of a fat client. This option eliminated much of the deployment and configuration issues of the IPSec solution. Instead, Beemer saw an opportunity to streamline deployment by providing users with either Web-delivered "thin client" or clientless browser access to Web applications, client/server applications and file shares, from a range of browsers and operating systems.

"The primary factor in selecting our solution was simplicity," says Beemer. "It took under an hour to install and set up the appliance."

The solution employs a centralized object-based policy model with a single rule set to manage and cascade policy across users, groups, resources and devices. "I didn't need to phase deployment," Beemer adds. "User access policy is based on their existing membership in Active Directory groups. I simply provided users with a URL."

For unmanaged endpoints, policy decisions to allow or restrict access are automatically enacted based on the identity of the user and the security of the endpoint. The remote security appliance interrogates endpoint environments prior to authentication to determine the identity of the endpoint device, as well as confirming endpoint security criteria, such as current antivirus updates or certificate-based watermarks.

IMMEDIATE RESULTS

The results for Seattle Lighting were significant--and immediate. "It was like I flipped a switch and turned on remote security for my users," says Beemer. The secure solution extends user-friendly mobile access to executive, managerial, IT and sales staff from anywhere they can access a browser. The mobility solution automatically deploys an appropriate access method based on the user's identity, endpoint security and the resource requested.

Now, authorized Seattle Lighting staff and partners can remotely access distribution inventory, point-of-sale, customer relationship management, e-mail, intranet and partner extranet resources. "A major success has been with outside sales," says Beemer. Before, Beemer had to restrict the team's access from unmanaged devices. Now, with the security of SSL VPN, their remote productivity has skyrocketed.