FRAMINGHAM (09/25/2003) - Like many global companies, Sentry Insurance and risk-management broker Willis use IP Security VPNs to provide IT people and power users with remote access to corporate resources. But with tens of thousands of users at both firms, they find the pressure is mounting to provide remote access to everyone else.
While scaling up their existing Cisco Systems Inc. and Check Point Software Technologies Ltd. VPNs is an option, both companies found the cost and complexity unattractive. What these and countless other firms need is an easy and affordable way to provide access to corporate Web mail, or oftentimes just a single application.
Both companies looked to Secure Sockets Layer (SSL) VPNs, which are easier to scale and deploy.
"Instead of giving users a thick VPN client, we just point them at a URL," says Eliot Irons, Sentry's information security manager. "The insurance industry is highly regulated, and there's a very high awareness of keeping our customers' data safe. I'm trying to give everybody peace of mind."
Irons and Mark Brunette, global information security officer at Willis, selected the SSL VPN they found the most secure, Whale Communications Ltd.'s e-Gap Appliance.
Today, 1,500 Sentry employees and about 20,000 customers - including independent agents and other firms - use e-Gap to access claims databases via a 3720 terminal-emulation program, company intranets, Web Outlook and Sentry's 401 (k) program portal. Sentry's agents work from home and other remote locations, and must use two-factor authentication to access the network.
Whale's e-Gap Remote Access device uses application-level filtering to check inbound data for unusual requests and those not defined within the scope of the permitted SSL VPN session. But most notable is Whale's Air Gap hardware platform. The box includes three integrated components: the external e-Gap server, the Air Gap switch and the internal e-Gap server. Each server includes a single-board computer. When the external server receives inbound requests, it strips off any networking information and loads encrypted data onto the Air Gap switch. This component has a memory bank and high-speed analog switch. When it receives data, it disconnects from the external server, switches sides, connects to the internal server and passes along the request.
Irons chose Whale quickly because he was familiar with Air Gap technology from his days as a security officer in the U.S. military, where the technology originated.At Sentry's annual security assessment, the outside firm that tested his network perimeter was impressed. "At first they didn't know what we had," Irons says. "Once they figured it out, they gave us a really high mark."
When Brunette came to Willis two years ago, he found the company's iNotes server - which served 55 users in one business unit at the time - sitting in the network demilitarized zone.
"The IT people didn't stop to think that our mail files were potentially accessible via the Internet," Brunette says. "They said it was the easiest way."
Willis gave Brunette the authority and budget to increase security, so Brunette added e-Gap Appliance and moved the iNotes server to the internal network. Now to access e-mail, users log on to a Web page and give their credentials and SecurID, and e-Gap Appliance makes the call to the internal network.
"While it's recommended security practice that you never call from a less secure to a more secure network, you can with Whale because the outside box doesn't really call inside," he says.
Whale also heightens security on the client side. Its Attachment Wiper clears all temp files, browser cache, downloaded files and pages, cookies, history data, user credentials and any other data trace left by a user while accessing corporate resources via a Web browser. E-Gap's Secure Logoff technology replaces HTTP Basic Authentication to ensure the user's credentials are never cached at the client machine. Timeouts must be implemented to ensure user sessions don't stay live indefinitely, and users must re-authenticate periodically.
So far, Brunette has put 4,000 users on the iNotes server in North America; his next challenge is figuring out the best way to extend access to Willis' international offices, which currently are served by slow and expensive dial-up accounts. Because Willis' mail infrastructure is distributed, the company has mail servers in many of its remote offices. While international users could access their mail by going through the single e-Gap Appliance in Nashville, bandwidth constraints in some overseas offices make that approach too slow. Instead, he and his team are considering centralizing mail, selecting some hubs, and putting mail servers with iNotes and e-Gap Appliances at each server. Another option is to increase the bandwidth and have overseas users access their mail via the single e-Gap appliance in Nashville.
"Right now, we're profiling our users: What do they need, just mail or access to back-end databases too? Once we figure that out, we'll take our next step," he says.