Deutsche Bank gives remote users a choice

At Deutsche Bank, there's no one-size-fits-all policy for VPNs. The bank has used an IPSec-based VPN since September 2001 so that more than 25,000 employees and business partners could securely access its global intranet. But six months ago the bank began offering an alternative VPN that's based on SSL.

At Deutsche Bank, there's no one-size-fits-all policy for VPNs. The bank, which ranks as the 20th largest in the world based on market value, has used an IP Security (IPSec)-based VPN since September 2001 so that more than 25,000 employees and business partners could securely access its global intranet. But six months ago the bank began offering an alternative VPN that's based on Secure Sockets Layer (SSL).

Deutsche Bank added this second type of VPN the SSL-based offering mainly because, unlike IPSec, it relies on Web browsers and doesn't require client-based installations, making it is easier and less expensive to roll out. "Most of our money is spent distributing software and configuring clients in general," says George Young, director of worldwide remote access at Deutsche Bank, who declined to get into budget specifics.

Both the SSL-based VPN (based on the Neoteris Access 5000 appliance) and IPSec-based VPN (based on Nortel gear) will be used at Deutsche Bank for the foreseeable future, he says. After all, not all applications the bank uses are Web-accessible, which means the IPSec client is needed to reach these programs. And some employees and business partners benefit by having the choice, using the SSL-based VPN from any Web-enabled computer while on the road, for instance.

About one-third of Deutsche Bank's 78,000 employees are allowed to access the intranet remotely, and their use of the browser-based VPN now accounts for 20% of all remote access to the financial giant's global intranet. Deutsche Bank maintains Neoteris and Nortel VPN gear at primary hub locations, including London, New York and Tokyo.

Young says he doesn't perceive IPSec- and SSL-based VPNs to be similar enough to warrant many direct comparisons, although he says encrypting at the network layer, as IPSec does, might be inherently stronger than relying on application-layer SSL encryption.

He says he has concerns that SSL-based VPNs might be more vulnerable to sneaky Trojans and keystroke loggers, so he has arranged to take an extra precaution: scanning desktops or handheld devices during the actual SSL remote-access procedure to look for dangerous malware. If any is detected, the user's entry is denied until the problem is solved.

"We're scanning for Trojans because they can take over a session and capture data if the client machine is infected," says Young, noting that Trojans often are planted on desktops by computer viruses for this purpose. "The users know their machine is being scanned because we have a pop screen that tells them."

Remote scanning, which takes just seconds, is done every time a user seeks access to the intranet during an SSL VPN session. The user enters a designated URL and a password to gain authorization via the Neoteris appliance.

Deutsche Bank prefers one-time passwords rather than reusable passwords, which are more easily compromised. As a result, the bank has distributed an RSA Security SecurID token to every employee and business partner so they can generate unique passwords dynamically.

The Neoteris appliances, which sell for about $40,000, don't perform the remote scanning. Rather, once the password authentication process is complete, scanning is handled by a server running Confidence Online software from start-up WholeSecurity. Confidence Online issues an ActiveX or Netscape plug-in to any computer remotely accessing the network for the first time and then can scan every time access is initiated.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2003 IDG Communications, Inc.