Array gear protects healthcare provider

Gateways simplify architecture and streamline layered security.

Humana Health Care used to rely on a mix of remote-access methods but wanted a single, flexible technology that would reduce the number of network entry points for malicious activity. As a result, it is standardizing on SSL VPNs for all remote access - and saving money at the same time.

The health provider in Louisville, Ky., uses a pair of Array Networks SPX5000s deployed in tandem to handle thousands of simultaneous connections as a replacement for IPSec VPNs and dial-up Remote Access Services servers, which can cost hundreds of dollars per connection, says Chuck Deaton, security manager for the company's security infrastructure architecture design team. By comparison, the Array gear costs about $10 per connection, he says.

Humana has about 10,000 users authorized to access its network remotely, and it needed a way to simplify access and maintain tight control over who gets into the network and what rights they have once there, Deaton says. About 2,500 users are logged on at any given time.

About 18 months ago the company started considering SSL VPNs to replace Cisco and Nortel IPSec VPN gear, Microsoft Point-to-Point Tunneling Protocol software and dial-up servers in its network. The IPSec VPN gear worked, but it required installing and maintaining clients on all machines, making it more difficult to open the network to business partners or allow Humana employees access from their own computers.

Because of limits on how many users the other access products supported, these options required multiple gateways deployed in a secure network segment between firewalls - a DMZ. "Each one represents an attack vector," Deaton says. "The more doorways and avenues that you have for data to flow, the more costly it is to maintain accountability and control of that."

In addition, as the number of devices grows, so does the cost.

"If we could minimize the number of different things we have to measure and monitor and buy technologies for, then it becomes a more economical approach to security," he says.

Humana tested Array gear as well as SSL VPN products from Aventail, Citrix, F5 Networks, Juniper and NetScaler (since bought by Citrix). The company chose Array for its range of features - SSL VPN, encryption acceleration, TCP multiplexing, compression, load balancing - and because each SPX5000 accommodates 64,000 concurrent users, according to a test by Tolly Group.

The Humana SSL VPN is set up so that remote users go to a URL, and their machine is probed for whether it's a Humana machine. If it is, it's scanned by Symantec endpoint-checking software to see whether its configuration meets corporate security policy. Only after their machines pass that test are users asked to authenticate, Deaton says. "This avoids brute-force attacks and password guessing," he says.

Users' logons are matched against Lightweight Directory Access Protocol or Active Directory data stores to find out what user group they belong to and what access rights they've been assigned. To alter an individual's rights, an administrator changes the group that person belongs to in the directory, Deaton says. The business doesn't have to maintain a separate user data store just for remote access.

Trusted employees on trusted machines get Layer 3 access - like an IPSec connection - that is as close to LAN access as possible, Deaton says. For less-trusted users and machines, the same SSL VPN gear grants limited access via Web proxy.

"We use SSL as an IPSec replacement," he says, helping his consolidation move. "We're adding users every day to [the SSL] gateway and finding ways to take those same users' access away from other, more traditional paths."

An additional benefit of the SSL VPN came up during hurricanes Rita and Katrina last year, when employees unable to get to Humana offices accessed the VPN via their own computers and were able to do work, Deaton says.

Because the Array gateways make communications with servers more efficient via TCP multiplexing and load balancing, they have slowed growth in the number of servers Humana needs.

In the long term, Humana is trying to establish the SSL VPN gear as the central gateway for remote access, behind which the company can deploy other security technologies such as intrusion-detection and -prevention platforms, firewalls, traffic loggers and router protections. Operationally, using a single access technology requires fewer employees, helping to keep expenses down.He would not say how much.

Array's SSL VPNs

Learn more about this topic

Array Networks' TMX5000 summary 01/16/06

Review

Web services project protects healthcare provider

03/15/04

Why is the healthcare industry slow in adopting messaging technologies?

08/01/06

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10