INTERNET SECURITY

From the March 2003  issue of Communications News

Security concerns are the current “red flags” for many network and IT managers, and at the top of their “to do” lists. Preventing unauthorized access to enterprise networks from external or internal sources, and dealing with the problems associated with more sophisticated and diverse networks, as well as more sophisticated intruders, has increased the task difficulty for these managers. There seem to be as many solutions as there are challenges, especially where the Internet is concerned. Here are some of the solutions implemented successfully in enterprises.

Michael Knocke was a man on a mission. As applications manager at Via Christi Regional Medical Center, a multicampus acute-care facility based in Wichita, Kan. Knocke needed to provide about 1,000 physicians access to digitized radiological, film-less images. Via Christi had been incurring up to $70,000 monthly in film and courier costs and, in an effort to reduce that expense, decided to go digital.

Knocke wanted a way to extend physician access beyond the walls of the center’s secure internal network. “Strong security and easy access were primary requirements,” he explains. “It was important to preserve the cost savings from going film-less, while enabling remote access, and critical to safeguard our network, while positioning it for the Health Insurance Portability and Accountability Act (HIPAA).” HIPAA sets national standards to protect privacy in electronic transactions in the health sector.

“We decided to go with a virtual private network (VPN) but it didn’t take long before we realized that wasn’t feasible,” says Knocke. “The support issues became increasingly difficult. The physicians’ own networks and firewalls were wreaking havoc on our VPN clients and we weren’t staffed to support it.”

Knocke estimates the VPN deployment would have cost about $60,000 annually. In addition, Knocke’s six-person team was dedicating precious time it did not always have to the project.

Via Christi also was investigating how to provide its 4,000 Kansas-based employees secure remote access from any standard Internet browser to the corporate intranet, including e-mail, human resources and other business-critical applications.

“When we began looking at ways to deliver our intranet outside the walls of the institution,” Knocke says, “we came across Whale Communications, and realized we might be able to transmit the digital images through its remote-access product.”

Knocke brought Whale’s e-Gap Remote Access Appliance product in house to test and, after a month, Via Christi began implementing the solution. “We discovered that we could eliminate the (VPN) client altogether and provide technology that leveraged any regular Internet browser,” he says. “But while the product allowed access to our intranet, in order to get a clear return on our investment we had to show that it would work just as well with digital images.”

With the appliance in place, the physicians gained access to a portal specifically tailored to their needs, which includes digital images, lab results, clinical documentation and other patient information. Employees also can gain remote entry to the intranet. Both types of access are granted while adhering to the healthcare’s stringent security requirements.

“Usability for the physicians was important, but what we really liked about the solution were the security features,” offers Knocke. “The appliance limits the scope of what someone can access. The physicians can be any place they have Internet access and get the information they need.” 
The appliance solution is server- rather than client-based. It resides on the network’s perimeter and required no changes to the healthcare system’s infrastructure. The solution also leveraged Via Christi’s existing strong authentication procedures.

“Because the appliance allows us to be physically disconnected from the outside world, we were even able to close some of the holes we had poked through our firewalls,” adds Knocke. “And, the product is constantly filtering all communications to ensure that only legitimate URLs are processed.”

The appliance, which physically disconnects the Internet from the LAN via an air-gap switch, allows applications to be accessed without connecting them to the Internet. This is accomplished by shuttling application-level data over the air gap in real time via dedicated hardware. This architecture, in addition to positive-logic rule sets that allow only expected URLs to pass, mitigates application- and network-level attacks to the corporate network.

Knocke estimates that after a one-time cost of $67,000 for the appliance, he is already saving $40,000 monthly in film and courier costs. “In addition, having a server-based solution makes it simple for us to add and manage users, freeing up our IT team to focus on other issues,” he says. “And, the physicians now have 24/7 access to the information they need to serve their patients better.”

For more information from Whale Communications:
www.rsleads.com/303cn-252

County secures Internet-based access

The security group for information technology services (ITS) in Johnson County, Kan., led by manager Aaron Goff, wanted to serve its citizens better by improving access to information by authorized personnel. Secure remote access to essential applications and resources would speed communications flow for employees and vendors, make mission-critical data more readily available, streamline efficiencies and ultimately cut operation costs, Goff reasoned.

Johnson County is the largest county in Kansas, employing approximately 3,000 workers spread across 477 square miles. The ITS group supports county offices dispersed across six locations and another 20 satellite offices spread across the county. Different offices utilize various information systems–including different applications, networking topologies, computing systems and remote access.

Initially, ITS deployed a VPN for delivering access to information over the Internet. The VPN, however, required that client-side software be installed on each user’s computer, as well as ongoing support and maintenance.

Employees in the 38 county organizations have different Internet service providers, as well, and users faced different complications accessing the LAN located in Olathe through the VPN. ITS was unable to keep up with maintenance demands.

Goff found his answer for his remote-access challenge with a new technology called an instant virtual extranet (IVE), and selected an IVE solution from Neoteris Inc., Mountain View, Calif.

The Neoteris IVE is a hardened network appliance that delivers secure access to applications and information over the Internet via any Web browser, without requiring client software installation or changes to the internal LAN servers. The plug-and-play IVE took less than an hour to set up, Goff says.

The appliance leverages secure sockets layer (SSL) technology included with standard Web browsers, so there was no client software to buy and install. ITS now provisions remote access by adding users in the point-and-click IVE administration console, and directing the user to a predefined URL to log in with a user name and password credential.

“The IVE requires no configuration to the machines our employees are already using, it offers users what they need and it takes care of the support for the ITS help desk,” says Goff.

Users have access to e-mail, file sharing, Web applications and internally developed applications–such as an emergency communications database and a geographic information system used by such departments as public works and wastewater.

The IVE solution delivers access at the application layer, eliminating open-ended, network-layer connections that VPN systems employ. Once authorized, a user session does not expose the county network to vulnerabilities–either malicious hacks or unintended viruses and Trojans.

The IVE was installed at ITS headquarters in 30 minutes, Goff recalls. “After quick setup of the appliance, we e-mailed out a short document on how to use the IVE, and users were up and running in five to 10 minutes,” he says.

In addition to time savings, Johnson County has significantly reduced its expenditures in terms of software and customer support for remote access. On the equipment side, the IVE appliance cost $15,000, compared to the VPN total of $27,500.

For more information from Neoteris:
www.rsleads.com/303cn-253

Card speeds connectivity

Lowering communications costs was one of the first duties assigned to Tony Karakashian when Rochester Midland Corp. (RMC) hired him as network manager. RMC’s network includes 15 branches across the United States and Canada, each with between 10 and 30 users who communicated with the central office via a six-year-old frame relay network.

Each location’s 56K DS0 line was costing more than $2,000 per month, and the slow speed of the network affected staff productivity. Reliability also was an issue.

In searching for a new solution, Karakashian concentrated on using a VPN for the WAN. Unlike frame relay, a VPN offered greater flexibility, and it would allow the company to securely communicate with business partners and customers. Field salespeople also would have access to critical customer data, and senior management would be able to use videoconferencing to communicate with branch managers.

Karakashian looked at numerous potential solutions, ranging in price from $3,000 to $25,000 per location. “I knew I could lower costs further by going with an open-source solution,” says Karakashian, “but, I didn’t know if there was a solid VPN option for Linux.”

Knowing about the firewall and routing capabilities of Linux, Karakashian found an IPSec implementation available in the form of the FreeS/WAN project.

In order to implement T-1 connectivity, WAN cards from Sangoma Technologies, for which support is built into the Linux kernal, were selected. The ISP also used frame relay encapsulation to its backbone, a good fit since the low-level protocols are built into the firmware of the Sangoma cards.

“By using recycled PCs to serve as the routers, we estimated the total cost to each of the branches during the tests at under $800, the cost of the WAN card at the time,” Karakashian says. “For the three branches using DSL, the cost was that of the second Ethernet card, under $20.”

After a few weeks with no downtime, the solution proved itself and was installed across the 15 sites. OS, WAN, firewall and VPN software was set up on each of the systems. To cut down on bandwidth needs and thus reduce RMC’s communication costs further, Karakashian added in secondary services, such as Bind as a caching DNS server at each location, and Squid for Web proxy/caching.

With the old lines still in place, Karakashian was able to install the new system in parallel, simply by reconfiguring the IP addresses of the networked computers to use the new VPN.

For more information from Sangoma Technologies:
www.rsleads.com/303cn-263

An array of improvements

Like most network managers, Texas Health Resources’ (THR) Andy Sutton is committed to using advanced technology to address his organization’s business problems. For Sutton, the core challenge was the range of issues spanning information technology and compliance with the Health Insurance Portability and Accountability Act.

THR is a large, non-profit healthcare organization in the Dallas/Fort Worth area, comprised of 16,000 healthcare professionals, and 13 hospitals and clinics serving 5.4 million people. THR runs many different medical and diagnostic applications within its WAN, including a physicians’ portal called CareGate that provides a single point of access from remote locations to hospital information, healthcare applications, links to medical Web sites and resources, electronic mail, payer data and other services.

CareGate utilizes the latest security tools–encryption, authentication and firewalls–to enable hospitals and physicians to share data securely. Until THR discovered a secure WAN solution, however, providing physicians with secure Internet access to patient information and real-time diagnostics from their homes and remote offices posed a difficult challenge.

“Our goal was to provide physicians with secure, anytime, anywhere access to patient information to assist in making the best-informed medical decisions,” Sutton explains.

THR’s application portfolio consists of hundreds of healthcare applications developed by scores of vendors. Many applications are Web-based, but few were designed for secure access via the Internet. Sutton realized that it would be prohibitively expensive to provide remote access by retooling certain applications or duplicating others on Internet Web servers.

Sutton evaluated Array Networks’ Array SP (Security Proxy) secure-access platform. The platform leverages expertise in multifunction Web-traffic management in a security proxy that integrates accelerated 128-bit SSL encryption/decryption and authentication, authorization and accounting. Sutton determined that the solution could be placed on THR’s network in parallel to its CareGate physicians’ portal to provide single sign-on access to existing patient care and real-time diagnostic applications.

“One of the product’s advantages is no per user licensing, so we knew we could expand the solution without incurring additional license fees,” says Sutton.

THR’s secure access solution, which includes two clustered Array SPs at a cost of $49,995 each, compares to at least $150,000 for a VPN, not including the added costs of remote administration associated with a VPN. In addition, the solution works with existing networks, servers and applications, and does not require THR to customize its demilitarized zone or deploy additional Web servers. Additional applications can be rolled out instantly or with simple changes to the product’s security framework.

Physicians with DSL or cable modem connections can access applications remotely with no performance degradation, and single sign-on capability requires just one password for secure access to multiple applications. The hardware-accelerated solution supports up to 5,000 new SSL connections per second and up to 32,000 concurrent sessions, so THR has not come close to tapping its maximum performance.

Sutton plans to use the Array SP to deploy healthcare applications for THR’s thousands of physicians and eventually to provide employees with remote access to the company’s intranet sites. “The device enables us to deploy secure Web-based services that we could not previously achieve,” says Sutton.

For more information from Array Networks:
www.rsleads.com/303cn-254