The Contra Costa Community College District in California discovered its IPSec VPN gave outside vendors too much access and caused too many support headaches, so it switched to SSL VPN technology and wound up saving money to boot.
The college had been using the VPN capabilities Cisco's PIX firewall to protect connections from technicians servicing applications on servers within the college network, says Katherine Ogden, network technology manager for the schools.
One such vendor accessed the network just to get at a server, or so the school intended, but it turned out the vendor used network access to travel over the school's WAN to desktops on other campuses. The vendor was checking whether the document-imaging software it serviced was updated, but that went beyond what Contra Costa wanted. "We hadn't told them they couldn't do it, but we hadn't thought that they would," Ogden says. "It really upset the campus folks."
IPSec software clients on remote machines also caused headaches, because many of the remote users accessed the network via their home PCs, over which the school had no control. The variety of PC configurations created a support nightmare, Ogden says. The Cisco VPN client also proved incompatible with several users' home Barracuda firewalls running on Windows XP platforms. Another user had a Windows 98 PC going through a shared Internet connection that could not support the VPN at all.
Setting up profiles for different groups of users was difficult, so the school set up a single profile for all administrators and a few profiles for groups of vendors.
That meant when a vendor's contract was up and the school wanted to deny access to that company, all the remaining vendors would have to update their access profiles, something they grumbled about. "They felt we'd just gotten the VPN working, and now we'd broken it," Ogden says.
"We had a lot of issues with the Cisco VPN," Ogden says, so she considered SSL VPNs, because they can support at least Web access with no client and pose fewer firewall issues.
She considered SonicWall as well as NeoAccel gear, and rejected the SonicWall equipment, because it included a firewall that the school didn't need.
The NeoAccel SSL VPN-Plus appliance requires only a Web browser for a client to access Web applications, but the college uses a NeoAccel client that users download themselves. Once it's installed, it works, Ogden says. It has eliminated VPN help-desk calls, which had averaged about two per week with the IPSec VPN.
"I tell them, 'Go to this URL. This will install the client for you, this will give you a user name and password. Let me know if you have any problems.' And then I don't hear from them again. I don't get any VPN problem calls anymore," Ogden says.
Setting user profiles is streamlined, because the NeoAccel gear can grant authorization to use network resources based on existing Active Directory profiles. "I don't necessarily have to give users another user name and password to remember," Ogden says. It's also simpler to set up user accounts so she gives each outside vendor its own. "So if we stop working with a contractor, I just go in and turn off their account," she says.
And by using access-control lists and route restrictions, she can limit what resources contractors can reach. "Now I can say, 'You can get to the server you need to get to, but you can't go across the WAN,'" she says
The SSL VPN gear also checks the remote machines for patches, antivirus software and personal firewalls, Ogden says, reducing the threat that these computers will infect the Contra Costa network.
The SSL VPN will also replace all dial-up access through the school, enabling it to drop two toll-free lines - a cost savings that will help pay for the SSL gear over time, Ogden says. That means the school can also retire some aged Shiva dial-up remote access boxes that have served the school well beyond expectations.
"We tend to run equipment until it's dead, dead and dead," she says. "I'll shut that puppy off, and everyone will have to VPN in."