Faster VPN provides insurance: SSL VPN overcomes security and deployment challenges for third-party site connectivity

Communications News, Feb, 2008

Insurance firm Hub International is in acquisition mode, having pulled off three in the second quarter of 2007 alone. This makes getting newly acquired firms quickly connected to critical resources on the Hub International network a high priority. Once, this was a time-consuming process that demanded a high level of expertise.

"We've worked days getting a VPN in. It was just a nightmare," states Tarron Weir, vice president and chief technology officer for Hub International. "Not that we couldn't do it, but it required highly trained senior engineers."

To expedite the integration process with its latest acquisitions, the company took advantage of a new SSL-based site-to-site VPN. Today, Hub International can accomplish the aforementioned task in about 45 minutes.

Hub International is a North American insurance brokerage providing a broad array of property and casualty, life and health, employee benefits, reinsurance, investment, and risk-management products and services throughout offices located in the United States and Canada. Since 1998, Hub has completed more than 120 acquisitions as part of its strategic commitment to expansion and to provide seamless coverage for a growing customer base.

While these mergers and acquisitions make sense from a business perspective, the IT staff is responsible for providing the on-ramp for bringing new companies into the fold and ensuring they are rapidly accretive. According to Tarron, "We are constantly on the lookout for Solutions and technologies that will make our lives easier."

For acquisitions, Hub subscribes to the principle of least privilege, by essentially denying newly acquired firms access to everything, then backing up and providing access to essential resources. "Once we complete an acquisition, it's critical to have network communications immediately and communications to certain applications," Weir explains, "but we don't want to give them the whole house. You have to make sure you have people VLANed off or cordoned off so they don't have access to the different parts of the business that they don't need access to."

The firm chose Array Networks' SiteDirect site-to-site SSL VPN for secure remote communications, offering third-party site connectivity scenarios such as partner extranets, customer engagement and acquisitions. Typical site-to-site VPNs establish a Layer 2/Layer 3 connection between two locations, essentially turning two remote networks into one larger network. That means all resources at each location are readily accessible to users at the other end, at least until administrators take steps to deny access to certain servers and applications.

VIRTUAL LAN MORE CUMBERSOME

Prior to SiteDirect, Hub accomplished this task using a traditional virtual LAN approach, which required working out differences between the various types of hardware each side used, as well as internal IP addressing issues that required the use of double network address translation (NAT).

Both Hub International and the companies they acquire typically use NAT to allow them to publish their assigned IP address to the Internet, but use more, and different, IP addresses internally. That means two companies using the same internal IP addresses would not be uncommon. Working around such issues with traditional VPNs requires NAT devices on both ends, a configuration known as double NAT, which adds time and complexity to the configuration.

"Absolutely, we have run into situations where we had duplicate IP addresses. It seems to be the rule rather than the exception. In fact, we ran into that situation again with our latest project based out of Fort Lee," confirms Weir.

SiteDirect avoids such conflicts through a technology dubbed resource publishing, which enables IP addresses to be provisioned using a dynamic host-configuration protocol server or from a specified pool of addresses. Resource publishing automatically performs a one-to-one translation of source and destination IP addresses, based on the local IP addresses provisioned by SiteDirect at each endpoint, thus obviating the need for administrators to configure NAT rules.

Hub can now take a white-list approach, in line with the prevailing "principle of least privilege" approach to security. Instead of assuming all resources will be available to users at an acquired company, SiteDirect extranet publishing technology makes available only those resources that IT specifically indicates, whether they are applications, servers or subnets. All remaining resources are invisible to the newly acquired organization.

SiteDirect allows Hub to quickly provide newly acquired companies access to certain financial and billing applications, for example, but not to portions of the business that do not concern them. "It allows us to button it down right to the application itself," Weir says. "We might want to just give them billing, or just give them our financial system where they can do some read-only stuff.

"It's a great help to us, versus exposing the entire network," he adds. "That's been a basic bedrock principle for us; do you want to deliver the application or the network? We want to deliver the application."