A Case for SSL VPNs
Last year, the staff of the Floyd County Prosecutor's office faced a sentence of permanent detention at their desks in the City County Building in New Albany, Ind. With the office slated to go paperless, there was no way to access files and legal documents from remote locations, raising serious productivity problems for attorneys and aides accustomed to working in courtrooms scattered across the county and at home after hours.
Enter IT Administrator Brad Walker with a reprieve. Walker installed a Cisco Adaptive Security Appliance 5510 device with a Secure Sockets Layer virtual private network to allow staff to safely access files through encrypted tunnels over the Internet.
"The objective was for them to have a way to work at home and in the courtroom without paper," says Walker. "Using the VPN, they stay paperless, and it also reduces the possibility of setting down a case file and forgetting it, or dropping a file on the way to the car."
Brad Walker of Floyd County, Ind., implemented a security appliance to enable safe remote access to legal documents.
Photo Credit: Chris Bucher
Walker says he chose the Cisco ASA 5510 with SSL VPN licenses after consulting with colleagues who had experience with the technology, and by comparing products based on scalability, ease of deployment and how well they fit in Floyd County's existing infrastructure. So far, installation and management of the VPN connections has been trouble-free, and users have raised no objections, he adds.
The county, which is situated in southern Indiana on the Kentucky border, is using about 30 of the 100 VPN clients it purchased, though interest in the technology is growing beyond the prosecutor's office. Probation officers have begun to use the VPN to connect to remote desktops using mobile devices in their vehicles.
"[Probation officers] were having trouble synchronizing their data, so we started using the Remote Desktop connection, but that's not as secure as a VPN," Walker says. "Now they are connecting and using Remote Desktop over the VPN."
Walker appreciates the ability to configure the Cisco SSL VPN for individual users to limit remote access to specific files and applications. "We just had a request from contractor mediators who need files from one department," he says. "We can set up the VPN so that they don't have to come into the office, and we can restrict their access."
Walker hasn't calculated return on investment for the Cisco ASA deployment, but its benefits are clear. The VPN was essential to the County Prosecutor's office going paperless, which saves money and provides better access to information, he says. The convenience of secure remote access can change the way probation officers and other county employees do their jobs.
Projected portion of the U.S. workforce that will be mobile workers by 2013, according to IDC's "Worldwide Mobile Worker Population 2009â€“2013 Forecast."
"It's more about security, for me, than return on investment, but the value is clear either way," Walker says.
Security is also the prime reason Goshen County, Wyo., uses a WatchGuard Firebox x750e unified threat management appliance. "From a network and infrastructure standpoint, I want us to be enterprise-quality and enterprise-secure," says Gary Meerkreebs, the county's manager of IT.
Goshen County uses the SSL VPN to connect to the state's Division of Criminal Investigation in Cheyenne and to the Federal Bureau of Investigation, says Meerkreebs. IT maintains a separate VPN connection between the county's sex offender registry and the state DCI. In addition, the county assessor's office connects via VPN to the state assessor's office, and some external vendors have VPN links to specific information and applications to aid their work for the county.
Meerkreebs and his small staff also maintain VPN links to the IT infrastructure for remote troubleshooting. "As long as we can get Internet, we can get into the VPN and work on something," he says.
Providing secure remote access to employees has been a given for many years in the private sector, but government agencies are just catching up, says John Pescatore, Gartner vice president and research fellow. "We estimate that there are probably more than 15 million VPN seats out there, so the technology is widespread," Pescatore says. "But county and local government employees are just beginning to need more mobility."
Pescatore says SSL VPNs have become the most common choice for mobile access because they are typically more robust than VPNs based on the IPsec protocol, especially for wireless applications.
Although VPNs are designed to create safe remote connections to systems and free employees to work anywhere, it's best to take extra precautions when employees use home PCs, recommends John Pescatore, Gartner vice president and research fellow.
Unlike IPsec VPNs, SSL VPNs do not require IT to install client software on user PCs, allowing them to connect from their home PCs or other unmanaged devices, Pescatore says. At the very least, organizations have to set a policy governing what devices can be connected via the VPN.
Pescatore also notes that one-third of all home PCs have been infected by botnet agents that linger in the background and steal passwords and information. Remote access should depend on stronger authentication than passwords alone, especially on home machines. Using two forms of authentication is the best practice, with physical tokens and biometrics as part of the secure access formula.