Secure Connections Get Web-Simple

Getting access to corporate data on the road has usually required special-purpose security software or—horrors—dialing up over a slow modem to headquarters. Many enterprises are finding a path of less resistance: the Web’s built-in security mechanisms.

Three years ago, Continental Airlines wanted to let 1,500 executives and office workers worldwide access e-mail and corporate Web applications—such as those for travel reservation and expense reporting—over the Internet.

The airline gave employees dial-up Internet access software from Fiberlink Communications, along with virtual private network software from Cisco Systems that establishes an encrypted “tunnel,” using the Internet Protocol Security (IPSec) standard, back to a Cisco security appliance at Continental’s Houston headquarters.

But there was a key drawback with IPSec, says Stacey Thomas, the airline’s senior manager of telecommunications: Continental’s support staff spent an inordinate amount of time helping employees get the Cisco IPSec software installed and configured properly—sometimes several hours per individual. It was especially tough, she says, to help employees who wanted to access Continental’s Web portal from their home computers because support technicians didn’t have physical access to those machines.

“We had some real [remote worker] support issues with our IPSec infrastructure, so we changed strategy,” Thomas says.

The new approach: Continental last year rolled out a security device from Juniper Networks that provides encrypted remote access over the Internet with the security standard built into virtually every Web browser, Secure Sockets Layer (SSL).

Now the airline plans to expand the remote access program to let any of its 43,000 employees log into the portal, Mobile CoAir, with an ordinary Web browser. For Thomas’ group, that means no more wrestling with IPSec configurations. “We can offer access from any Internet-connected computer,” she says. “It’s much more user-friendly.”

Cisco, for its part, notes that it provides an SSL option, called WebVPN, for its virtual private network appliances. In addition, the company says, IPSec is more efficient than SSL for accessing non-Web-enabled applications.

But Continental’s experience reflects a broader trend among organizations looking at SSL virtual private network systems as an easier way to let employees and partners connect securely. The category is small, but growing: Research firm Gartner estimates that the number of employees using SSL virtual private networks will grow from fewer than 3 million in 2005 to at least 27 million teleworkers—defined as those who work from home at least one day a week—in 2008.

Its ease-of-use appeal is pushing SSL remote access projects to the fore. Kent School District, a 40-school district outside Seattle, bought SSL virtual private network gear from F5 Networks in December 2004, even though it already had a Cisco IPSec VPN.

Thuan Nguyen, Kent School’s director of project management and technical services, says the original goal for the Cisco VPN was to give remote access to 30,000 students, teachers and staff. However, he says, “We never got more than 15 people using it.”

The issue for Nguyen, as in Continental’s case, was that it took far too long for the information-technology staff to set up and support users. Furthermore, he says, the standard Cisco IPSec software simply sets up a secure connection, rather than presenting a menu of applications someone could choose from as the F5 product does.

It took Nguyen’s team about a week to install F5’s FirePass system. Within a month, more than 3,000 teachers and staff were logging into the district’s FirePass portal to access e-mail and student information, and to update Web pages. “The support calls we’ve received have dramatically dropped,” Nguyen says.

The technology has even helped companies form new partnerships. James Richardson International (JRI), a Canadian grain producer and distributor, uses Aventail’s SSL virtual private network appliance as part of a joint venture with a competitor—the Saskatchewan Wheat Pool, according to public records—to operate a shipping terminal in Vancouver.

JRI hosts a Web-based shipping-management application for the joint venture, and Saskatchewan Wheat Pool employees are granted access to only that application through the Aventail system. “Neither of us wanted to fully open up our networks to each other,” says Paul Beaudry, JRI’s director of technical services. “I don’t know how I’d have delivered this without an SSL VPN.”

And in some ways, SSL provides better security than IPSec, says Eric Hanson, manager of information-technology security at Quad/Graphics, a commercial printer in Sussex, Wis. Because an IPSec tunnel provides a full network connection, if a remote computer is infected with a virus, the bug could potentially spread across the main network; an SSL connection, by contrast, is restricted to the Web’s HyperText Transport Protocol. Quad/Graphics uses SSL-based virtual private network products from Citrix Systems and Juniper to give access to its 11,000 employees. “We don’t have to worry about viruses and worms coming in from remote machines,” Hanson says.

On the other hand, putting an SSL remote-access portal on the public Internet introduces some risk, since it’s accessible to anyone and his Web-hacking brother. The U.S. Fund for Unicef, the child welfare organization based in New York, met the need for easy access and strong security by using security password tokens from RSA Security with F5’s FirePass.

The RSA SecurID devices, small enough to fit on a keychain, display a unique number every 60 seconds. That number must be entered when someone logs into the organization’s portal—an extra level of security necessary for staff members looking up sensitive financial data while traveling the globe, says Abraham George, manager of information technology for the U.S. Fund for Unicef.

“If someone’s at an Internet kiosk in Mozambique,” he says, “we don’t want them to accidentally leave their password sitting on the machine.”