Mine safety agency secures the tunnel for remote users

 

Connecting state and local government leaders

The Labor Department's Mine Safety and Health Administration has 1,200 inspectors traveling around the country who rarely work in a MSHA office.

The Labor Department's Mine Safety and Health Administration has 1,200 inspectors traveling around the country who rarely work in a MSHA office. Add to that the agency executives and administrators often working from home, and you have thousands of workers seeking remote access to the MHSA network.Allowing remote access makes the remote PC a node on a network and raises a host of security problems, said MSHA security officer Syed Hafeez.'We were concerned about extending the network to someone's house,' Hafeez said.Providing connections that were both convenient for the end user and secure proved to be difficult. Providing those connections without overburdening the IT support staff seemed almost impossible.The agency had servers in its offices in Arlington, Va., and Denver to allow dial-up connections.'But those were dial-up speeds,' said IT director George Fesak. As employees became more used to high-speed Internet connections at home, they became more frustrated with dial-up speeds.So in order to deliver high-speed connections, the agency turned to virtual private networking. A few users, on a case-by-case basis, were provided VPN connection using the IPSec protocols that provide encryption and security at the IP layer.But this small group caused a 'world of grief for the support staff,' Fesak said. Client computers had to be loaded with VPN software and configured to use it properly. In some cases, this meant visiting the user's home. Maintenance and troubleshooting these clients was also a burden after they were configured, and even when everything was working properly it did not eliminate security concerns. If a remote client became compromised with malicious code, a VPN could allow that code into the network.'A VPN is a secure tunnel for the rats to run through,' Fesak said. 'There was no way we could police that and still support problems with the clients.'The solution was an SSL VPN, which uses the Secure Sockets Layer Web protocol for establishing authenticated and encrypted sessions between Web servers and Web clients.'SSL is a clientless technology,' said Don Wheeler, solutions marketing manager for Juniper Networks Inc.'s Federal Systems division. 'Any Web browser can support an SSL VPN.'MSHA eventually selected the Sunnyvale, Calif., company's Secure Access 3000 SSL VPN for its remote access needs.The selection process began with the Enterprise Architecture initiative mandated by the Office of Management and Budget to ensure that IT programs support agency missions.'We started an Enterprise Architecture project here in 2002,' Fesak said. 'We took it very seriously. We now have EA governance, in which all of our customers work with us to determine our priorities.'In early 2003, Fesak said, 'the number-one need was to have a way for people with high-speed Internet connections to securely access the network without causing a lot of grief for the support staff.'Funds for the project were allocated for fiscal 2004, and MSHA began evaluating four products. 'It was fairly obvious,' what the final choice should be, Fesak said.One of the four was an IPSec VPN from Cisco Systems. 'Because we didn't like the traditional VPN, we decided not to use Cisco,' he said.The remaining three products were SSL VPNs. Two of them were not certified to the Federal Information Processing Standard 140-2 for cryptographic modules. That left Juniper's Secure Access, which is FIPS-140-2 Level 2 validated. A pilot program with 200 users began in February 2005.Because Web browsers already support SSL, no additional software is required on the client PC for an SSL VPN. Server and client authenticate each other using digital certificates on the devices and establish an encrypted session transparent to the user. The client and server negotiate the level of cryptography to be used, settling on the highest level available to both. A dialog box is pushed to the client PC to authenticate the user and enable access to the agency's resources.MSHA uses the Secure Access 3000, which supports up to 2,500 simultaneous sessions. It is a rack-mounted appliance that is placed behind the firewall to receive connection requests.It can support levels of user authentication from simple user name and password to multifactor authentication and digital certificates, Wheeler said. It also supports access policies defined by administrators and can 'white list' trusted locations. An employee connecting from a home computer might be given a greater level of access, for instance, than one connecting from an unmanaged public wireless access point. Configuration and status policies for the client PC also can be enforced to ensure that infected or unprotected PCs are not given access.The major limitation to an SSL VPN is its reliance on the Web browser for access.'There is definitely still a place for IPSec VPNs,' Juniper's Wheeler said. 'Where SSL VPNs make the most sense is where they are trying to allow particular persons access to applications.'In fact, this aspect of SSL VPN presents some problems at MSHA. 'It's really more a reflection of where we are with IT in this agency than of the product,' Fesak said. 'Not all of our applications are Web-based.'Access to non-Web applications requires the use of terminal services, which push a 400K Active X client to end users.All new applications at MSHA are Web-enabled, but enabling legacy applications will depend on when the money is available.MSHA began making the SSL VPN available to its 2,200 eligible employees in April.User authentication is done by user name and password entered in the browser now, but a pilot is under way to test stronger, two-factor authentication using SecurID from RSA Security Inc. of Bedford, Mass. This is a token that generates a new passcode every 60 seconds that is used in conjunction with a password. The passcode is verified using RSA Authentication Manager and Authentication Agent software.'We'd eventually like to go with two-factor authentication for everybody,' Fesak said. So far there have been no problems with the two-factor system. 'I was afraid we'd have stability problems, but it has been stable.'

Juniper inherited the Secure Access line when it acquired NetScreen Technologies. The SA-3000 SSL VPN comes in a FIPS-compliant configuration.

SSL VPN has the security and low maintenance dispersed workers need

























































X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.