Remote Possibility

Adams County, Pa., finds a Web-based virtual private network makes it easier to satisfy demand from outside organizations for access to the county's network.

by / December 8, 2005
An increasing amount of people who don't work for Adams County, Pa., ask to reach into the county's data network.

"Six, seven, eight years ago, there weren't nearly as many requests for remote access to information as there are now," said Dave Sprankle, Adams County's management information systems (MIS) director. "It's just been an explosion over the past year, year and a half."

As these types of requests increase, counties face a new challenge: finding efficient ways to keep communications between their own networks and external computers secure.

For Adams County, the "explosion" started with a heating, ventilation and air conditioning (HVAC) contractor that wanted to access a server to monitor its systems in two county buildings. Computers control most modern HVAC systems, and contractors often use off-the-shelf software, such as Symantec's pcAnywhere, to keep track of their equipment from offsite, Sprankle said.

But Sprankle didn't think that was a good solution.

"There are known vulnerabilities in a lot of this remote access software, and I didn't want multiple vendors using multiple versions," he said.

Then 10 local police departments needed access to the router the county operates for them as a gateway to the statewide Pennsylvania Justice Network (JNET). A local nursing home also uses the county network to access an online x-ray service, Sprankle said.


Too Many Clients
To secure data that passes over the Internet between a network and a remote computer, organizations often turn to virtual private network (VPN) software. For its own employees who needed to use the network from home or other remote sites, Adams County had installed VPN-1 from Check Point Software Technologies.

Based on the IPSec protocol, this solution uses software on the client machine to encrypt data and protect the network from viruses and other malicious code. As requests for access to the network arrived from outside county government, Sprankle offered VPN-1 to those users as well.

This strategy, however, put a burden on the four-person MIS department. After downloading the VPN client software, users had to configure it to operate on their personal computers.

"Almost every time, this requires us to be on the phone with them to get it set up," Sprankle said, adding that it often turned into a 20- to 45-minute process.

With the Carroll Valley Borough Police, the first police department to gain remote access, the situation looked complicated enough to require a technician to supervise the installation in person.

"We can't be running around to all these different police departments, because we're not just talking about one computer at a police department," he continued. "Some have three or four."

Chief Richard Hileman of the Carroll Valley Borough Police took charge of helping other law enforcement agencies in the county install the client software.

"My problem was, it wasn't easy enough for some of our less technologically savvy guys," he said. Therefore Hileman got personally involved in each installation.

The complexity didn't end when he finished setting up the software. Each time an officer wanted to use JNET to look up a driver's license, check for warrants or perform other functions, they first had to launch the VPN program, and not everyone found that easy, he said.


A No-Brainer
Just as Sprankle was getting ready to buy more licenses for VPN-1, he heard about a new VPN product from Check Point, SSL Network Extender, that didn't require software on the client system.

"We went ahead and bought 25 licenses for the SSL Network Extender to take the burden off us," Sprankle said. "Once we got it configured, it was a no-brainer. The thing is so easy to set up and use."

SSL Network Extender is a browser plug-in that uses the SSL transport protocol to encrypt data passing over the Internet between a remote machine and a network. SSL Network Extender is supported on Windows 2000 and XP using Internet Explorer 5.0 or better.

Just as a user on the Web downloads a Flash file to run animation on the spot, users download the Network Extender technology through a browser when they need remote access to a network, said Dean Ocampo, product marketing manager of Check Point. "It's completely on demand. Anyone can do it if they have a Web browser."

For the police departments, that makes access to JNET much simpler. Instead of setting up software on the client machine and launching it each time an officer needs to use the county's network, users just go to a Web site, said Hileman. "It automatically, right away, tells them, 'Give me user name and password.' They put it in, and they're logged [into JNET]."

Before deploying the new software for the police departments, Sprankle had one of his technicians set up an account for him so he could access two specific servers on the county network from his laptop at home.

"It seemed pretty secure," he said. "Whatever we give people access to, that is really the only device they can access."


Additional Steps Needed
The Web-based solution doesn't come with as many built-in safeguards as the client-based VPN, Ocampo said. Along with encrypting data, VPN-1 provides personal firewalls and other security controls to keep malicious code from passing through to the network. SSL Network Extender simply encrypts the data.

Restricting access is one technique SSL Network Extender users employ to make sure they fully protect their networks from threats that might slip in via remote computers.

"You'll take other steps to provide security because you don't have security controls embedded in the clientless solution," he said.

For external users allowed to access only one or two servers on the network, that level of security works fine, Sprankle said. For internal staff needing remote access, VPN-1 is probably the better choice, because there are additional management capabilities.

Sprankle is thinking of offering SSL Network Extender to a new category of outside users: municipalities looking for GIS data from the county. Right now, local governments that want to use the county's GIS data call the Tax Department or the GIS Department to describe what they need. Someone in the department extracts the data and either sends it on a CD or as an e-mail attachment.

"I'm hoping to push out this remote access to municipalities, so they can just connect to a server we have out here for municipalities to access all the data they need," he said.

Demand for remote data access will continue to grow because modern technology has conditioned people to expect that capability, Sprankle said.

"Why get up and get in your car and go someplace to access information when you can easily access it from your office, your home or your school? That's just the way things are going in the IT world."
Merrill Douglas Contributing Writer