• Home
• Archives
• Newsletter
• Career Center
• White Papers
• Contact

Hot IT Jobs

Hiring to Process Orders for Big Brands, Data Entry. $45/Hr

.Net Application Development Manager

Director, Data Warehouse and Database Administration (Netezza an

.NET Programmer/Analyst

Animation Studio Sales Position

The Distributed Enterprise

Security brought to light

IPSec VPN provides users with either Web-delivered "thin client" or clientless browser access.

Like many rapidly growing retailers, Seattle Lighting has had to ramp up its technology to meet its expanding business goals. The secret, says IT manager Pat Beemer, is in finding solutions that users will adopt–and IT can deploy–without creating more problems than they solve.

Over the past 90 years, Seattle Lighting has established itself as a leading supplier of lighting fixtures and accessories in the Pacific Northwest. In addition to six Seattle-area locations and a clearance outlet, the company now operates six showrooms near Portland, another in Boise, Idaho, and an online e-commerce brand (DestinationLighting.com).

With its rapid growth and expansion, the retailer realized a need for its executive and administrative staff, inside and outside sales representatives, store managers, and key business partners to obtain secure remote access to mission-critical resources.

The company's primary remote access need is for the distribution-management system–crucial to Seattle Lighting's operations–hosted on a back-end IBM RS/6000. Secondary needs include remote access to document files, e-mail, accounting applications and support for the e-commerce Web site.

Seattle Lighting originally provided remote access to its distribution-management system using terminal emulation via telnet, which presented security vulnerabilities at the firewall. With its rapidly expanding PC inventory and upgrades to its network infrastructure, however, the company retired the legacy VAX system and migrated from character-based terminal services to a Windows-based approach.

FIREWALL NOT ENOUGH

To provide virtual private network (VPN) access to distribution management and other business resources, Seattle Lighting deployed a Watchguard Firebox firewall with integrated IPSec VPN functionality. The outside sales team was the first group to use the VPN, but because IPSec required a resident "fat" client on the endpoint device, the IT staff immediately ran into the type of configuration and conflict issues often encountered when extending IPSec VPNs beyond IT-controlled site-to-site environments.

"One of our top reps tried to access the system from a home computer when it crashed," says Beemer. "After a day of troubleshooting on a three-way conference call with Watchguard, we had to wipe the PC clean the next day just to get it restarted.

"With the configuration problems, I had to hold back on offering remote access for many of the use-cases that were driving the need in the first place. It was clear we needed to look at alternatives."

Then Seattle Lighting's solution provider, Network Computing Architects, suggested an SSL VPN solution from Aventail (now SonicWALL Aventail).

SSL VPNs do not require the installation or configuration of a fat client. This option eliminated much of the deployment and configuration issues of the IPSec solution. Instead, Beemer saw an opportunity to streamline deployment by providing users with either Web-delivered "thin client" or clientless browser access to Web applications, client/server applications and file shares, from a range of browsers and operating systems.

"The primary factor in selecting our solution was simplicity," says Beemer. "It took under an hour to install and set up the appliance."

The solution employs a centralized object-based policy model with a single rule set to manage and cascade policy across users, groups, resources and devices. "I didn't need to phase deployment," Beemer adds. "User access policy is based on their existing membership in Active Directory groups. I simply provided users with a URL."

For unmanaged endpoints, policy decisions to allow or restrict access are automatically enacted based on the identity of the user and the security of the endpoint. The remote security appliance interrogates endpoint environments prior to authentication to determine the identity of the endpoint device, as well as confirming endpoint security criteria, such as current antivirus updates or certificate-based watermarks.

IMMEDIATE RESULTS

The results for Seattle Lighting were significant–and immediate. "It was like I flipped a switch and turned on remote security for my users," says Beemer. The secure solution extends user-friendly mobile access to executive, managerial, IT and sales staff from anywhere they can access a browser. The mobility solution automatically deploys an appropriate access method based on the user's identity, endpoint security and the resource requested.

Now, authorized Seattle Lighting staff and partners can remotely access distribution inventory, point-of-sale, customer relationship management, e-mail, intranet and partner extranet resources. "A major success has been with outside sales," says Beemer. Before, Beemer had to restrict the team's access from unmanaged devices. Now, with the security of SSL VPN, their remote productivity has skyrocketed.

Beemer sees this initial success as only the beginning. "As a retailer, we are very committed to meeting compliance with PCI regulations," he says, referring to the payment card industry data security standard. "One way we're addressing this is by looking into using our remote security appliance to implement two-factor authentication."

The solution includes multiple integrated options for authentication, including user name/password and two-factor authentication, such as RSA SecurID tokens and client-based digital certificates.

For more information from SonicWALL Aventail (click here)

---

How secure is your data?

by Jane Shurtleff

Enterprises need a WAN infrastructure and risk-management strategy that can support risk and compliance requirements, as well as drive efficiency and productive collaboration within and among internal organizations. This same WAN infrastructure also should protect content between enterprises, business partners and customers–all in support of Web-based sharing and collaboration.

As these businesses globally deploy Web-based enterprise content-management solutions, both application performance and security challenges come into play. The inherent performance issues of WANs, such as low bandwidth and high network latency, usually make response-time performance to Web-based content unacceptable to most users. Many companies turn to WAN acceleration devices to address this problem.

On the security side, enterprises addressing the issue of preventing data theft between authorized users and corporate servers are using the secure sockets layer (SSL) protocol or HTTPS in Web environments to encrypt content over the WAN. With SSL, however, all session-layer data is encrypted and not compressible. Because WAN acceleration devices can no longer see the protocol fields or content contained in encrypted traffic, all acceleration ceases and application response time slows to a crawl.

Enterprises need to find a balance between content security and remote access performance. This involves developing a WAN infrastructure that ensures specific content security, not just network perimeter security, and can efficiently accelerate encrypted content without compromising its security or integrity.

In order to overcome these problems, techniques should be deployed that maintain data security over the network, yet enable protocols and content to be accessible for optimization. The solution also should relieve the data center server from the large amount of CPU overhead that results from processing encrypted traffic.

One means of accomplishing this is to employ application-acceleration devices that support HTTPS proxies with distributed SSL off-load capabilities at both the client and server locations. HTTPS proxies reduce the number of round trips over the WAN required in setting up an SSL connection between the remote client and the server.

Once that setup is complete, SSL termination and decryption expose the data in "clear text" within the WAN acceleration device to enable further data optimizations. Data is then re-encrypted within the IPsec tunnel and securely sent over the network.

In normal-use cases, each server maintains its own private encryption key. In employing acceleration devices with HTTPS proxies, such devices should likewise maintain private server keys in order to carry out SSL processing. In doing so, such devices should always keep private server keys securely in the data center and not distribute them to the branch office. This ensures that even if the remote-acceleration device is compromised, the server's private key is safe at the data center. The application-acceleration device should also have the ability to encrypt data within its databases to further secure the content from local breaches.

The distributed SSL off-load capability within application-acceleration devices also takes CPU-intensive decompression and compression tasks away from the server, freeing it for more application processing. HTTPS proxies with distributed SSL off-load can ensure security and data integrity while accelerating content access over the WAN for productive Web-based sharing and collaboration.

Jane Shurtleff is marketing director for Certeon, Burlington, Mass.

 For more information (click here)