Streamline Your Teleworking Systems

By Abby Tang

Teleworking can raise worker productivity in a distributed enterprise environment but deployment can be demanding. Streamline your implementation with these handy tips.

Introduction

Tele-networking, or telework, refers to working away from the office using remote access networking technology. It can mean working from home and working ‘mobile’ such as from a hotel room or airport lounge.

Along with extranet access, which is remote access provided to partners or vendors outside of the organisation, telework enables the ‘extended enterprise’ concept of a distributed organisation with geographically diverse resources and staff.

While telework can increase productivity, save costs and keep your business running during emergencies, many organisations have experienced problems with providing remote access solutions, typically those based on IPSec technology. These problems include end-user frustration, high deployment costs, and expensive ongoing support. IPSec-based access is also susceptible to sophisticated and increasingly frequent cyber-attacks.

Virtual private networking (VPN) using Secure Sockets Layer (SSL) technology offers an excellent alternative to an IPSec-based VPN solution. SSL VPNs address the needs of diverse audiences that access administrator-specified corporate resources from anywhere in the world, over a standard Internet connection, even as access methods and users’ circumstances change.

The following section details twelve guidelines for effective telework using an SSL VPN.

10 Guidelines For Effective Telework Using An SSL VPN

Step 1: Use Standard Web Browsers

By using only standard Web browsers (such as Firefox or Internet Explorer), administrators eliminate the need to install a VPN client application on every end-user device used for remote access. Unlike IPSec networking, where a full software client must be loaded on each device, SSL VPN remote access is client-less, saving cost and aggravation for both IT staff members and end-users. Where a thin-client is needed for more sophisticated access, it can be dynamically downloaded for the session. Best of all, this process is fully automatic and transparent to end-users.

Step 2: Setup End-point Security

An SSL VPN appliance can also automatically perform a pre-authentication assessment of end-user network and system attributes. This ensures a secure environment before user credentials are exchanged. Where available, this “Host Checker” feature can ascertain the security posture of the end-user device and search for specific files and running processes, as well as registry settings, on the connecting system. Checks can also require or restrict the connection to specific network ports, verify the source IP address, and validate the presence of digital certificates.

Step 3: Configure Access Privilege Management

Define users’ access to applications and information resources – with sufficient granularity. Dynamic access privilege management can be determined for each session and should be based on user identity, the type of connecting device, administrator-defined host checker security controls, and network trust levels. The result is best mapped to a granular resource access control policy that specifically includes the URL, server, and application or file. This level of control over application access is not only strong security, but also supports regulatory compliance efforts by creating logs for auditing.

Step 4: Deliver Access to Multiple Types of Applications

With quality SSL VPN solutions, users are not limited to Web-enabled applications only but also have remote access to non-Web applications and information. These include traditional client/server applications such as MS Outlook, IBM Lotus Notes, MSTS and Citrix ICA. End users can use these familiar applications without the retraining required for Web-based variants.

Step 5: Deliver Network Level Access to Those Who Need It

While an SSL VPN does not require software pre-installation, not all solutions allow network level access. Where available, this type of access provides the same level of network flexibility as traditional IPSec VPN connections, but without the burden of IPSec client maintenance or potential network snags, such as NAT issues.

Ideally, a dynamic lightweight client applet based on Java or ActiveX is automatically downloaded after login to the remote machine. The applet would run during the session without any user involvement or even awareness, and should be supported on a wide range of user platforms, including Macintosh, Windows, and Linux.

Step 6: Tie into the Existing User Authentication System

Your SSL VPN should interoperate with your existing user authentication and PKI system. Whether your organization is using LDAP, RADIUS, NT Domains, ACE, Unix NIS, or a local user database, the remote access solution should utilize existing systems for user authentication and authorisation and ensure higher security.

Step 7: Configure for "Always On" High Availability (HA)

High Availability (HA) is essential to ensure seamless failover with minimal downtime. Check that the SSL VPN solution offers HA capability at reasonable cost and overhead.

Step 8: Configure Event Logging

Configure event logging to support business and security objectives. Events, user-access and administrator activity all generate highly granular logs that are stored locally, and can be sent out in SYSLOG format. User connections should be fully logged and provide both access and usage information for security, system provisioning and compliance auditing.

Step 9: Customise User Interfaces (Optional)

Based on the specific user group or role, customisable sign-on Web pages provide an individualized look and feel. Also, specific features and functions can be made available or kept hidden from the user on the customised page. With this functionality, a single investment in an SSL VPN can be leveraged across various departments, tailored for specific team requirements. This customized user interface capability is especially useful for extranet applications.

Step 10: Configure Role-based Delegation

Your SSL VPN solution should support administrative separation, allowing the main administrator to delegate system control of access policy configurations and settings, giving team leaders direct ownership where it makes sense. Role-based delegation can also support the leveraging of a single device across various groups and is especially useful for extranet applications, offering flexibility and enhancing cost effectiveness.

Additional Steps for Higher Performance

Once an organisation has followed these 10 easy steps and implemented a secure telework environment, it can then take additional steps towards a coordinated threat control posture around critical assets and optimisation of WAN connectivity.

Step 11: Implement Coordinated Threat Control

The increased need for remote access must be balanced with steps to ensure valuable resources and assets are protected from intentional or unintentional attacks, including viruses, Trojans, worms, and spyware. A common way of adding security to a remote access deployment is to use Intrusion Prevention and Detection (IDP) technologies. But simply deploying IDP behind a SSL VPN may be inadequate. When malicious traffic is detected in such an instance, it can be difficult to correlate the malicious tunneled traffic to a specific user.

Your SSL VPN should allow the IDP solution to tie the session identity of the SSL VPN with threat detection capabilities to effectively identify, stop, and remediate both network and application-level threats within remote access traffic.

In this configuration, when intrusion detects a threat or any traffic that breaks an administrator-configured rule, the IDP system signals the SSL VPN appliance which then uses the information to identify the user session that is the source of undesired traffic. It can then take action, including terminating the user session, disabling the user’s account or mapping the user into a quarantine role.

Step 12: Optimise Web Application Connections

Because remote linkages will not likely have as much bandwidth as the enterprise’s internal LAN, application acceleration platforms can drastically reduce the time to access applications and boost web application usability and acceptance – especially for remote and branch office users.

While an accelerated solution deployed to bolster a telework environment can provide impressive speed boosts, ideally it should also specifically accelerate SSL traffic for even more performance gains.

Why is Telework Important to an Organisation?

Telework removes the limitations of location and time. Just as the telephone, and later the mobile phone, made it easier and more efficient to communicate with people, telework will allow business computing to take place anywhere, anytime, over any Internet connection. This capability becomes significantly more important during times of crises, where physical travel to an office location becomes risky or impossible.

The best teleworking systems are thoroughly planned to get the best out of remote access. The following sections detail handy tips to streamline your implementation.

Essential Steps in Setting Up an Enterprise Telework Solution

Telework removes the limitations of location and time. Just as the telephone, and later the mobile phone, made it easier and more efficient to communicate with people, telework will allow business computing to take place anywhere, anytime, over any Internet connection. This capability becomes significantly more important during times of crises, where physical travel to an office location becomes risky or impossible.

The key to a successful telework programme is governance. An overall coordinator must be nominated, unless less than 15 users are involved. The coordinator will have overall responsibility for:

• Organising/chairing the telework committee
  
• Developing telework policy
  
• Coordinating the roll-out process
  
• Managing schedules and equipment
  
• Tracking and reporting progress

The coordinator should also establish a telework committee. Led by the telework coordinator, this group will define goals, plan the programme, establish procedures, and draft the telework policy. The committee should comprise representatives of all the stakeholders affected by teleworking, including the management team, HR staff, employees, IT, legal, and public affairs. Building input from these groups into the telework plan from the beginning will greatly enhance its success.

The committee then must develop the telework policy. It is essential to establish and communicate a clear set of ground rules for participation in your programme. Elements of the telework policy should include:

• An overview with definitions of terms used
  
• The overall goals of the programme
  
• A summary of programme benefits
  
• Criteria and procedures for participation
  
• Standards for working hours, duty stations, and attendance
  
• A sample telework agreement
  
• A checklist of requirements for remote office, computer, and telecom equipment

It is very important to make sure that your telework policy is consistent with the law and any applicable regulations or guidance.