Turn ’em loose
It used to be easy to plan and deploy networks for remote users. In the 1990s, network architects built branch office networks largely based on a simple design, using Ethernet local area networks (LANs) for desktop computer connectivity and wide area network (WAN) routers connected to T-line circuits leading to the headquarters’ data centers. At the time, branch-office applications were not terribly complex — mostly file and print services, corporate e-mail, and a few client and server applications. And while almost everyone had a desktop computer back then, very few people worked from home and enterprise remote access was rare and of limited use.
Over the last 20 years, a significant number of organizational and technology initiatives were spawned — some designed to streamline productivity and others to reduce capital or operational costs — that caused a huge number of changes to mission and application requirements for networks, and drove new branch-office and remote-access requirements. These initiatives were seen across both general and government enterprises, and varied from the rapid adoption of “anywhere” computing (which includes the rise in telecommuting) to the need for mission-critical application access from anywhere. Couple this with the dramatic increase in contract employees who need secure access (typically remotely) and the plethora of end-user devices used today, and you get a networked application environment that is extremely complicated.
When trying to address the above changes and needs, most organizations experience significant challenges, as the majority of available solutions only address one part of the problem and don’t provide support for a superset of the requirements. For example, desktop virtualization systems are excellent in their ability to support employees and contractors simultaneously, but they don’t provide significant support for voice/video communications. Similarly, VPN client/server systems provide excellent support for all applications, but they are challenging to install and maintain remotely, especially on non-government-owned devices.
Which leads to this question among CIOs: Given all of these changes and new requirements, can government agencies provide employees and non-employees policy-compliant and secure remote communications access to all applications, no matter where they are located, while using a simplistic architecture to ensure supportability and cost containment?
The answer is yes, and the key is Wi-Fi.
Today’s Wi-Fi networks create a highly robust, secure and standardized model for remote-user access, regardless of where an end user may be connecting. Wi-Fi solutions now exist that meet and exceed government security standards. Some of the key advances and features that now make Wi-Fi a viable and optimal option for government agencies, especially when considering telecommuting options, include:
Standard security models. Implementation of enterprise-class Wi-Fi (interchangeably called 802.11i or WPA2) requires client-device and/or user authentication via standard protocols to an authorization system — such as Microsoft Active Directory, lightweight directory access protocol (LDAP) or basic RADIUS server — prior to attachment to the wireless LAN. Basic user authentication can be extended further by providing advanced user authorization using the same infrastructure — not only governing whether the user is allowed to attach to the network, but further controlling the applications and systems with which the user is allowed to communicate.
Enterprise-class 802.11i also requires cryptology during user authentication and user-data traffic flow, ensuring traffic is protected from eavesdropping. In addition, many operating systems, handheld devices and WLAN infrastructure products that feature Wi-Fi support have been through the rigorous Federal Information Processing Standards (FIPS) 140-2 testing process to ensure the cryptology is government-grade.
One key, but subtle fact about these standards-based security mechanisms is that enterprise Wi-Fi requires them to be implemented, where other standard client-connectivity methods (Ethernet, for example) do not. Since Ethernet connectivity generally assumes the same device (and therefore user) is attached to the same port at all times, additional client software (such as VPN clients) must be provided as an overlay user-authentication and access-control mechanism — adding to cost and complexity. In short, everything is included in the enterprise Wi-Fi specification to ensure secure, high-performance connectivity for government users. Moreover, Wi-Fi can provide support for any computing environment, including remote access, all while keeping equipment and installation costs to a minimum.
Easily and rapidly deployable. Wi-Fi is now a standard interface on most commonly used devices found in a mobile-user environment, including laptops, specialized handheld devices, smartphones and printers. The operating systems that support these Wi-Fi interfaces have 802.11i-compliant client drivers with common configuration methods and a common feature set. Configuring 802.11i-compliant devices for network and user access is very similar, regardless of device type, making initial configuration and ongoing troubleshooting easy. Equally important, augmentation via additional software isn’t necessary; all the required security and network-connectivity mechanisms are provided by standard operating system clients.
Wherever you are. Networking products that feature WLAN access points are available that have been purpose-built for branch office environments, the telecommuter’s home office and even mobile environments, allowing the logical and secure extension of the government agency network to these locations across any IP backbone. With the advancement of metro-Ethernet IP services, broadband Internet access technologies and 3G/4G cellular services, the branch or home office literally can be installed in minutes and can exist anywhere. And as mentioned above, many products have been validated by the appropriate government agencies to ensure their security posture meets standards.
Make every application available. Many remote access methods rely on firewall pinholes that allow a few specific applications to be accessed remotely, which is limiting factor and actually increases management complexity. Using Wi-Fi infrastructure as the standard for remote client connectivity allows the extension of the entire logical network to the end-user. The client device simply sees an L2 virtual local area network (VLAN) and L3 IP network extended to them that follows them wherever they go, without any reconfigurations necessary on the client or network. Data center security infrastructure can be used to enforce fine-grained security policies, which allows all applications to be exposed, simplifying infrastructure deployments at the remote sites while still enforcing appropriate access security policies. Instead of using Outlook Web Access when at home and Outlook in the office — while also using a VPN client for data center server access — different policies for network access can be enforced by a common infrastructure. Users can enjoy a consistent experience, no matter where they need access.
Multiple vendors now provide Wi-Fi-enabled solutions that are specifically designed to support the needs of the remote branch office, the SOHO teleworker and the traveling remote worker, all while enabling easier remote IT support. Here’s how it works:
The branch office. In this example, a government agency needs to provide access to all of its information systems and networks (let’s dub this “AgencyNet”) to numerous remote branch offices of 50 or more users each. Some users are employees who require full access to agency information systems, while others are contractors on specific projects with only limited access. To meet these requirements, several government-owned access points (APs) are deployed in each remote branch office to provide high-performance WLAN access, and are connected via Ethernet to the appropriate WAN network connection of choice for the given office. All other security and server systems are located in the data center, where they are shared among all sites and users. During the Wi-Fi device and user authentication process, the user is identified and managed properly by the security infrastructure in the data center. Users who do not have valid credentials cannot access any branch office or data center network. Once connected, employees and contractors will have role-based access to all authorized systems.
The telecommuter or small- or home-office (SOHO) end user. Employees who work in one of the branch offices also may need telecommuting access to AgencyNet in their home offices. In this example, the government agency can provide the employees with an agency-owned access point that the employees connect to their home broadband Internet router. AgencyNet goes live in their home office and the employees activate their laptops and smartphones, authenticating to the network. Similarly, the employees now have access to all applications and communications systems without using an alternative method of applications access or software.
The benefits of supporting a remote work force by building a remote-access architecture based on Wi-Fi standard technologies are numerous:
Reduce the cost of supporting the end-user client systems. Wi-Fi client systems are ubiquitous — all have similar configuration processes and characteristics regardless of device type. Also, they don’t require ancillary client software to provide a secure, FIPS 140-2 policy-compliant connection to data-center applications. All of these factors go directly towards reducing the cost of operating the remote network through standardization and simplification.
Reduce the cost of data center infrastructure. Similarly, by basing your remote access architecture on Wi-Fi technologies, it is possible to build a simpler remote access network in the data center that eliminates the need for VPN concentrators, SSL-VPN servers, security proxy servers and complex firewall configurations. Through this elimination comes simplicity, and further reductions in the cost of ownership.
Make the network more flexible and more secure at the same time. Unlike other remote access solutions, Wi-Fi-oriented solutions can make every application and communications system available using role-based access control — all that is required is an access point configured to securely attach to the government agency network. And government-grade Wi-Fi solutions are built with security in mind, not as an add-on component, and are tested to ensure stringent policy compliance.
Today’s network requirements are incredibly complex. Users in government organizations, like commercial organization employees, require access to all of their applications through multiple devices in any environment, whether at home, at the office or in a temporary location.
Network administrators must address these needs in a manner that is secure, flexible and does not add to the plethora of existing connectivity mechanisms. Wi-Fi networks can simply and easily meet the needs of users, administrators and regulatory bodies in a secure and cost effective manner. Most importantly, Wi-Fi provides users what they need ? a consistent connectivity experience regardless of location — and the agency what it requires — security, flexibility and control over network access.
Maybe the problem isn’t so complicated after all.
- Read the “Anywhere computing” sidebar to learn how advances in technology have extended the workday and the workplace in commercial and government organizations.
David Logan is vice president-strategy for Aruba Networks Government Solutions.
Advances in technology have extended the workday and the workplace in commercial and government organizations, while telecommuting has reduced the amount of required shared space and increased employee flexibility. Many business-continuity plans now require employees to be redeployed and productive within a single business day and a medium-sized branch office to be operational within days of notice. Real estate optimization initiatives have reduced office lease periods, thereby increasing the rate of branch redeployments. Due to an organization’s mission or because of the situation, branch work environments may now actually be mobile. These requirements and trends dictate that users will need access to computing systems from anywhere and secure connectivity must be provided to the entire user population independent of location.
Supporting all applications: Government agencies have evolved their information systems to streamline operations, resulting in an increasing number of mission-critical applications and communications systems. When coupled with work-anywhere initiatives, agencies no longer can rely on firewall pinhole techniques to expose a few applications to a remote access community; instead, all applications and voice and/or video communications systems must be available to all users, independent of location.
Network access for non-employees: Contractors frequently are used by government agencies to augment their permanent staff, and many agency missions have evolved to require interagency collaboration. Both of these scenarios mandate providing information systems access to non-employees on a temporary basis. This makes it necessary to support both employee users and non-employee users and provide role-based access to infrastructure and information systems.
Any-device computing: The number and type of end-user computing devices now employed by the user community have increased dramatically. Each has a different purpose and form factor, and may or may not be open in terms of device or software manageability. Because of the previously mentioned organizational changes, these devices may or may not be government-owned. Policies that prevent usage on the government network have limited enforceability and in the future, all will require secure, policy compliant connectivity to the government agency network.
Simple architecture: In response to many of the above changes, IT organizations used point product solutions to extend specific applications outside the government agency walls. This resulted in anywhere from five to 10 different ways to connect remotely. To control cost and complexity, a new secure connectivity model using a single uniform architecture must be employed, simplifying the hardware and software infrastructure for IT in order to support and ensure a consistent end-user experience.