Case Study: Wireless Provider's Remote Access Success
Giving mobile users access to enterprise applications and internal portals via an SSL VPN can be tricky. Midwest Wireless' implementation was exceptionally smooth. What's their secret?
How can an organization provide remote users with more-secure, centrally managed access to enterprise applications and intranet portals?
That was the question Mankato, Minn.-based Midwest Wireless asked two years ago, as part of its push to centralize the administration and management of its corporate security policies. Midwest Wireless, founded in 1990, today has 420,000 customers for voice, data, broadband, Internet, and voice over IP (VoIP) services. “Our specialty is coverage in the rural areas of Minnesota, Iowa, and Wisconsin,” notes Jeff Evenson, the company’s manager of enterprise information security.
To help its more than 600 employees connect to enterprise applications when on the go, Midwest Wireless began investigating SSL VPNs, ultimately opting for the Application Intelligent Gateway appliance from Fort Lee, NJ-based Whale Communications.
“One of our systems administrators had suggested we take a look at Whale, and right from the start I was impressed with their salesperson,” says Evenson. “I didn’t feel like we were being over-sold. They took the time to understand what we were doing. In my opinion, that kind of service up front speaks well to what kind of service you can expect later.” Another reason for selecting the Whale SSL VPN, he says, was because of its out-of-the-box ability to work with many of the applications Midwest Wireless uses in-house.
Implementation proceeded smoothly. “They actually had a Whale programmer on-site here that came out to Minnesota and helped us install it, and it’s pretty much been online consistently since they left,” he says. In fact, the only real implementation challenge involved getting the word out to Midwest Wireless employees that “if you bring up a browser at home or while traveling, you can access what information you need inside the network,” he says.
At first many users—even road warriors—hesitated to use the new functionality. “Now, though, I’ll hear from some of our frequent travelers that they’re comfortable enough that they can leave their computer at home and just rely on the business center at a hotel, or use a kiosk.” Of course, a related benefit is a lowered risk of laptop loss or theft.
Evenson says time spent administering the SSL VPN is minimal, though he occasionally gets a trouble call from the help desk—a user can’t connect. “It might be something they installed on their home computer,” he notes, which is typically the case. If so, the fix is “they just have to clear their browser cache,” which will then prompt them to reinstall the Whale client.
Using ActiveX to Safeguard Sessions
Whale’s client is an ActiveX control, so for all employees’ browsers, “we do have to have ActiveX turned on,” Evenson observes. While that isn’t ideal from a security standpoint, one benefit of using ActiveX is that the browser manages client installation, so IT doesn’t have to distribute disks or create scripts to push software to users at network log-on.
The client also secures the browser for remote access, protecting company-confidential information, then “cleans up its tracks when you close your browser—it deletes the cookies and temporary files associated with that session, and you’re not leaving anything behind.”
While Midwest Wireless isn’t guarding against the loss of any intellectual property in particular, it prefers to play it safe. “I guess we don’t have any big secrets, but you never know what someone will do with what they find out there,” he says.
For user authentication, the SSL VPN integrates with Active Directory, so “we don’t have to duplicate all these user accounts for multiple domains. We can just query the Active Directory to see if they’re even permitted into the network,” notes Evenson. Then with the right credentials, employees can access such applications as the company’s proprietary sales extranet, plus a Microsoft SharePoint portal, Outlook Web Access, native Outlook, and Windows file shares.
Previously, the company didn’t have such flexibility; it relied on a Cisco IPsec VPN in conjunction with a Cisco PIXT, a firewall-VPN. “One of the problems you have there is you’re forced to load their client software up on the endpoint, and it didn’t clean up the session when you were done,” according to Evenson. Furthermore, Midwest Wireless wanted to centrally manage and maintain all security policies, including remote access, and “Cisco isn’t very adaptable to that.”
Even so, Midwest Wireless does still employ the Cisco VPN for power users. “We have some engineers [who] need to be in closer contact with our network, so they can get out and manage the wireless towers, and sometimes the Cisco VPN solution just gives you a closer connect to the resources.” In particular, engineers need direct access—not a Web-based interface—to some tools.
Adding Applications and Portals
Midwest Wireless continues to give employees access to new types of applications and portals via the SSL VPN. “We have added more things as we’ve learned what we can push across the Whale. As an example, our programming group has been developing an application for our external agents—we have a couple hundred agents out there that need to get access to marketing or promotions materials, and technical specs on what’s happening with different things we have going on with our business,” he says.
Yet the application—a portal—lives not in the corporate domain but in a separate one, which meant Midwest Wireless either had to add another SSL VPN or find a way to code around it, which would have been difficult. “We pushed back to Whale and said we have this cross-domain requirement, is it possible to program Whale to allow an external agent to log on, and pass over through Whale that domain that they need to have access to,” he says. “They put some of their guys on it and had it figured out in a week.”
The end result was customized scripts for handing off authentication. That saved having to put a new appliance in place, plus substantial time for Midwest Wireless’s developers.
Soon, Midwest Wireless plans to create a similar portal for other employees, and Evenson again anticipates saving significant development time. Even if developers do encounter portal-related access and administration challenges, however, he’s not worried. “Going forward, they know the first thing to ask is, ‘Can the Whale handle it?’”
Case Study: Continental Secures Remote Access, Trims Costs
Unraveling Common VPN Flaws
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.