Computer Security: When Everybody Wants Network AccessBy Deborah Gage | Posted 2007-03-15 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
At Mississippi's Corrections Department, more people were using remote computing devices. The agency's network manager had to find a way to secure their communications.
The Problem: Providing workers with secure network access, especially when they continue to get new wireless devices.
The Details: At the Mississippi Department of Corrections, wireless laptops and smart phones are becoming more popular. Jerry Horton, the network manager, has to make sure they are used safely. The 300 or so parole officers who spend their days visiting parolees and going to court like to jump onto the network from wherever they are so they can get more work done. Various judges and other officials now want wireless access, too.
But Horton couldn't accommodate these people with the equipment at handa Secure Sockets Layer (SSL) appliance from NetSilica in Piscataway, N.J., that he'd installed a few years ago when the department stopped using dial-up lines to get Internet access. That box was complicated to administer, Horton says, because, for example, it required him to type long, cumbersome commands.
No one at the company could be reached for comment, but former NetSilica CEO Bob Marmon disagrees that NetSilica's appliance is hard to use. "We can't be everything to everybody," he says. NetSilica is being taken over by a coalition of its customers and new investors who will guide the product's development, Marmon says.
To add to Horton's challenges, he is sometimes short of information-technology staff, which can make it tricky to comply with the I.T. standards set by the state of Mississippi. All remote network sessions have to be encrypted and authenticated according to Cisco's Internet Protocol Security standard, for instance, which means that each machine coming into the network has to have a registered Internet Protocol (IP) address.
At the department's prisons, this meant only one person at a time could get on the network, because each prison has one IP address attached to an outside router. Although that one address could be mapped through Cisco's Network Address Translation (NAT) to several unregistered addresses inside a prison so more people could get on the network, many prisons don't have the staff to set up NAT. "In one of our regional jails, their doctor set up their local network," Horton says.
The Solution: An SSL appliance from Seattle-based Aventail. Horton says he chose Aventail's product after reading reviews in trade magazines and talking to vendors and other people in state government. It has a simple browser interface, took one morning to install and seemed to support the features he needed.
Horton likes the fact that as Aventail continues to improve the product, its engineers work with the state of Mississippi to tweak the software to meet the state's security standards. For instance, Aventail can test machines coming in from other networks that don't belong to the department, to make sure their software patches and antivirus software are up to date.
The appliance supports a variety of wireless communications standards, including EV-DO for wireless access and GSM for sharing frequencies. That is handy, too, according to Horton, because soon he will have to trade the devices his department is using now. After Hurricane Katrina, the state decided to use just one wireless vendor at a time to make sure all its systems could communicate during emergencies. A new contract was just awarded to Cellular South.
The Result: Aventail's appliance allows the corrections department to function in a way it couldn't before, Horton says. Initially, the department spent $14,000 on Aventail's box and 25 licenses, and has continued to add licenses. He's also adding an extra box with emergency licenses that will serve as a backup system should the first box go down.
Even though Aventail would replace a dead box the next day, he says, "There would be a lot of screaming if people here had to wait 24 hours to get on the network."