American Century Casualty Co. (ACCC) had always insisted that its network access be restricted to users on the corporate LAN. The catalyst for change came during the year-end holiday break in 2006, when some of the statewide claims managers asked if they could do some work from home.

Stephen Gentilozzi, IT manager at American Century Casualty, chose an ASSL VPN to provide secure connections to employees working in the field or at home.

“We had no real solution for them at the time,” says Stephen Gentilozzi, IT manager at ACCC. “We gave them access through our Citrix client as a temporary fix, but we also started looking for a permanent solution that would satisfy our users as well as our own security requirements.”

The goal was to eventually provide some 150 claims managers, field appraisers and other executives with anytime, anywhere access to the corporate network, with full security.

ACCC operates administrative offices and data centers in Houston and Atlanta, to serve 250 employees and 4,000 independent agents. The company insures drivers and vehicles in South Carolina, Georgia, Alabama, Mississippi, Louisiana and Texas.

From the outset, Gentilozzi and his team knew they wanted a secure socket layer virtual private network (SSL VPN). Unlike IPsec VPN solutions, SSL VPN technology would allow access from any browser-based PC. “Everyone can get on the Internet, and SSL technology should be able to allow our employees to log on with their user names and passwords and get access to the resources they need,” he says.

Unfortunately, Gentilozzi’s five-person IT staff learned that the first two solutions it tested would require installation of client software to provide the endpoint security and access-control restrictions dictated by ACCC’s overall network security policy.

“Fundamentally, our team didn’t want to have to provide installation on every computer outside the office,” explains Gentilozzi. “We could set up clients on users’ home systems or laptops if we had to, but we wanted a product that would also work if someone was at a relative’s house or at a conference.”

The IT team’s experience with the first two VPN products also revealed another requirement: speed. “During our testing, users found a lot of sluggishness in screen updates, particularly when accessing our databases or applications,” Gentilozzi offers, “so we wanted something that was as fast as possible.”

A clientless solution

In March, the IT staff discovered SSL VPN-Plus from NeoAccel. Although the service has options for client-based implementations, the clientless solution was exactly what ACCC needed. The product was faster than the others, and it met the security requirements at the same time.

On non-employee devices, for example, the product automatically removes the session information from the user’s system once the session is over. “This gave us the confidence to allow remote access from non-employee computers,” says Gentilozzi.

SSL VPN-Plus also provided highly granular access control with endpoint security checks to handle a range of user situations. “We could say, ‘If you want to file share or send things to the printer or access your desktop system, you need to be on a much more secure machine.’ Those tend to be the machines users have at home,” Gentilozzi says. “If the user is on a remote computer at a conference or a friend or relative’s house, we only allow access to our Web site.”

Based on IT testing, Gentilozzi approved the purchase of two NeoAccel SGX-1200 gateways with licenses for 50 users per device. The total project cost was less than $20,000.

NeoAccel deployed its SGX 1200 SSL VPN-Plus gateway in ACCC’s Houston data center. The NeoAccel installer configured an IP address for the appliance and linked it with the data center’s Windows Active Directory and DHCP servers. The appliance could then direct incoming users to one of a set of specific Web pages for login and services, based on each user’s security profile.

Rather than replicating Active Directory’s role by requiring a separate user database, the NeoAccel device works with it. The SGX-1200 gateway validates user IDs and endpoint security requirements for network access, and then relies on Active Directory’s user profiles to provide access to specific network resources. “We really liked the native integration with Active Directory,” says Gentilozzi. “We couldn’t find another SSL VPN product that offered that.”

Although the SGX-1200’s graphical management interface and built-in integration with Active Directory made creating security profiles for each employee easy, it was a trial-and-error process deciding which employees or employee groups should have access to specific network resources.

SSL VPN-Plus also provided highly granular access control with endpoint security checks to handle a range of user situations.

“In the beginning, we had everything locked down to just the Web site,” says Gentilozzi, “and then over the course of a week, we worked out specific privilege levels for each user. We’d set up one set of privileges and then the user would request something else, like access to a particular database, and then we’d adjust it.”

In the end, the IT staff grouped users into four basic classes: trusted, semitrusted, quarantined and restricted. In hindsight, Gentilozzi now knows that his team should have mapped out a plan for remote security classifications and privileges in advance, as this would have reduced the initial gateway’s deployment time from one week to as little as a day.

Cookie problem solved

In addition to the configuration process, there was one unexpected glitch. The NeoAccel device, as delivered, worked either with browser cookies enabled or disabled, but not with both setups at once. Since trusted users would receive cookies but semitrusted users would not, NeoAccel wrote a rule exception into its software during the installation period to provide the needed flexibility.

After two weeks of testing among IT staff with the system fully configured, it was rolled out to users of the Houston data center to serve users in Mississippi, Louisiana and Texas. With a clientless installation, all that was necessary to roll out the production system was to send an e-mail to each employee notifying them of the URL of the login Web site.

Once this setup was running, a second SGX-1200 gateway was installed in the Atlanta data center to serve employees in Alabama, Georgia and South Carolina. “We basically copied the same configurations we had used in Houston, and when the second system came to Atlanta, all we had to do was install it and turn it on,” says Gentilozzi.

When a user connects, the SGX-1200 appliance tells the user what level of access he will be getting, based on the system from which he is logging in. Users of home machines or company-supplied laptops are in the trusted security zone–they have full access to network databases, applications, printers, servers and their own desktop PCs.

If users are at third-party workstations, they can use Web and e-mail services only. “The users are okay with those restrictions since they know they’re not at a trusted machine,” says Gentilozzi.

By providing secure and streamlined remote access for its users, the ACCC IT team has satisfied a growing demand and has significantly improved claims processing and customer service in the bargain. With the ability to log into the network from remote locations, claims managers have been able to approve claims in the evening, during conferences or during time off. Claims that would otherwise have languished on a desk until the employee returned to the office can now be in the company’s system hours or even days earlier.

In addition, field appraisers are speeding the claims process by accessing claim forms and uploading photos of damage from remote sites, rather than having to wait until they return to the office. Most importantly, this improvement in productivity has come with no compromises to ACCC’s network security policies.

Charlie Rubin is a freelance writer based in Alameda, Calif.

For more information from NeoAccel (click here)