Case Study: UCI Cinema Adopts SSL VPN for Anytime, Anywhere Access
With personal e-mail available in an instant from any connected PC via free Web-mail accounts, users want to know why their corporate e-mail, applications, and documents can’t behave the same way.
Anytime, anywhere access to the corporate network is increasingly in demand by today's mobile users. If personal e-mail is available in an instant from any connected PC via Yahoo, Hotmail, or other free, Web-based e-mail accounts, why can't corporate e-mail, applications, and documents behave the same way? Of course, those features are available, but granting Web access to sensitive corporate applications, and keeping the setup secure, takes finesse.
One solution is to use SSL VPN; the technology gives remote users access to e-mail and other behind-the-firewall resources. Given users’ desires, and the technology’s feature set, perhaps it’s no surprise that VPNs are hot. According to Forrester Research, 55 percent of all enterprises will deploy more of them in the next 12 months.
Vendors are rushing in too; there have been a wave of SSL VPN acquisitions in the past year. Symantec purchased SafeWeb, F5 bought uRoam, and NetScreen purchased Neoteris last year, only to be acquired by Juniper this year.
Unlike more traditional IPsec or L2TP VPNs, SSL VPNs offer companies more ubiquitous (and authenticated) connectivity. One potential downside, however, can be that IT may not know whether the endpoint itself is secure.
The desire to give employees secure, anywhere-access to their e-mail and corporate applications drove UCI Cinemas, a Paramount and Universal joint venture based in Manchester, England, toward SSL VPNs. UCI owns and operates over 100 multiplex cinemas in Europe, the Far East, and South America.
UCI was already using VPN technology. “We had the IPsec VPN clients, which allowed users on dedicated laptops to connect,” says Danny Larah, group infrastructure manager at UCI Cinemas. UCI also had an Outlook Web Access (OWA) service for employees.
There were two problem areas, says Larah. First, IT had to maintain IPsec on the designated laptops. “We had remote-support issues, getting it to work, password expiry,” he says. “At the same time, OWA was a security risk … just too much of a risk” to keep using, given Microsoft’s implementation of OWA in Exchange, he says.
Meanwhile, SSL VPNs were getting extensive press coverage. “We were seeing these SSL VPN appliances were quite secure and could deliver these applications to users no matter where they were—Internet café, at home, or indeed on a UCI laptop.”
The company moved quickly; a security audit had recommended a stop to using OWA. In July 2003, UCI evaluated a range of SSL VPNs, short-listing three companies: Aventail, Neoteris, and Netilla. “There wasn’t really much difference between them in terms of functionality, each had its little differences,” says Larah. During one demonstration, Aventail couldn’t get its VPN to work. UCI chose from the remaining two, which came down to “just a pricing issue.” It selected Netilla, and LANsition, a British wireless, mobility, and connectivity service firm, performed the systems integration.
“Any system I select is based on two factors: the technology, but also the company behind it. We get the answers we want, but the after-sale service can ‘do or die’ a system like this,” says Larah. He says implementation went smoothly, with the appliance installing in about an hour. UCI had to tweak settings in its Web applications—especially the Java ones—to work with the VPN, but “the learning curve was much less than in systems I’ve used before.” Then all employees got a half-hour one-on-one session to explain the new setup. UCI had the VPN live and in use by September 2003.
Administration is much easier now, reports Larah. Every laptop has global dial-up software from British Telecom, not an IPsec VPN. “To talk a user into getting an Internet dialer working is far easier than trying to talk them through getting an IPSec client working.”
UCI uses two-factor authentication for remote access. Users must first log on to the SSL VPN with their Windows NT username and password; UCI is currently upgrading to Active Directory. Then users are challenged for a PIN number from their security fob. “The PIN is something they know, and the fob is something they have,” says Larah.
The key fobs—security tokens—come from Signify Solutions Ltd., a managed secure-identification service based in Cambridge, England. Using a managed service provider for the fobs saves UCI from running its own, dedicated RSA server, or from dealing with round-the-clock support for users from Japan, to Britain, to Brazil. “It’s an excellent service. We can control the fobs from a Web-based interface, we can order new ones, they get shipped to the user,” he says. As part of orientation, users learned how to use and register their fobs online.
If a user loses a fob, they get 10 one-time security codes from Signify while waiting for the new fob. “We’ve lost three so far, out of 50—not so bad—and had one crushed, I think,” says Larah.
Users rave about the new setup, which allows them to access e-mail, as well as internal corporate applications—for example, to monitor the state of the business. “It was so well received by the community. The managing director of the company was saying he doesn’t take his laptop with him [anymore], because he’s always near an Internet café somewhere.”
Netilla is responsive to feature requests, says Larah, and has included some of his in their development cycle. For example, Larah asked Netilla to alter its user interface to consolidate various access options --- reverse proxy, SSL tunnel, file and print access—onto one screen, instead of in different tabs, to simplify options for end users.
Larah also plans to offer the file and print services built into the SSL VPN to users soon, so they can download and work on files remotely. While the technology is in place, on the interface side “it’s very raw at the moment,” he says. Currently users would have access to all services, and have to go to the right share level to access any one in particular, so he hasn’t enabled the service. Still, he notes, “that is coming.”
Locking Down Endpoints to Prevent Virus Resurgence
SSL VPNs with SAML Hit the Market
Q&A: Securing Mobile Workers
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.