House builder chooses SSL for net access

When national home builder The Ryland Group chose Secure Sockets Layer remote-access equipment to let more workers tie into corporate resources, it also found a way to give business partners restricted access to the network.

When national home builder The Ryland Group chose Secure Sockets Layer remote-access equipment to let more workers tie into corporate resources, it also found a way to give business partners restricted access to the network.

Along the way, the technology saved Ryland from having to replicate servers and place them in a secure network segment where remote users could reach them over the Internet.

The company already had an extensive WAN made up of a 31-site frame relay network, 350 sales offices and 350 work-site trailers tied via IP Security (IPSec) VPN remote access using software clients. Three other sites were tied in by site-to-site IPSec VPNs.

But it wanted to give traveling employees and workers at home access to a limited set of network resources. Separately, it also wanted to give business partners limited access to resources.

The company considered several SSL remote-access vendors but decided to use Whale Communications’ e-Gap gear.

“The Whale box allowed a server to be exposed in two different ways to two different groups,” says Jon Bartlett, senior network engineer for Ryland, a $3.4 billion company in Calabasas, Calif., citing one key reason why Ryland chose Whale.

While that was important, it wasn’t the top concern, according to Craig McSpadden, Ryland’s vice president of IT. “The overriding concern was security, followed by making apps available, followed by ease of administration,” he says.

When Ryland started vetting SSL vendors five months ago, it considered Aventail, Nortel, Neoteris (now NetScreen) and Whale. It quickly eliminated Aventail because it perceived the company as primarily a service provider, even though Ryland knew it sells appliances. Bartlett says he couldn’t get Nortel’s gear to work in Ryland’s test environment, so it dropped out of consideration, too. Ryland then brought in NetScreen and Whale gear to test for more than a month.

“I really liked the [NetScreen] box, says Bartlett. “I liked how easy it was to configure and get things up and running.”

But after he got familiar with the Whale gear, it allowed him to grant corporate users a different set of access requirements and rights from a single appliance.

“The employee portal piece on [NetScreen] would give remote access to employees. It was just fine. It was the customer access that we couldn’t do with [NetScreen],” Bartlett says. NetScreen upgrades, scheduled to be announced this week, address this shortcoming.

Creating unique pages was also easier with the Whale gear, Bartlett says, thanks to its use of XML and Active Server Pages (ASP). “A lot of it is ASP code and XML that we already have in-house skills for, so it was more flexible and customizable,” he says.

From the security standpoint, Ryland liked Whale’s Air Gap technology, a switch inside e-Gap appliances that separates its external interface from its internal interface. “It protects us from Layer 3 attacks, and you don’t have to worry about misconfiguring it,” like you do with a firewall, Bartlett says.

One specific crucial limitation was that NetScreen didn’t support file access to Ryland’s Novell Network 5 servers. “With Whale, their answer is we can get it to work, we can customize it, and we were able to do it. With Neoteris, it was it just didn’t do it,” Bartlett says.

Alternatives to SSL business-partner remote access called for placing select servers in a secure network segment called a demilitarized zone, which would have meant replicating servers, investing in hardware and time to add them to the corporate DMZ.

The Whale gear also supports single sign-on, so users can log on once to the Whale box, which uses those credentials to sign on to internal servers. If the internal servers require different credentials, the Whale e-Gap remembers them the first time and automatically uses them when users request the application.

“If you have 10 applications and eight of them have the same credentials and two don’t, then you just collect them for the two that don’t and for the others they just go straight through,” Bartlett says.

Looking back on the project, Bartlett and McSpadden say they would try to get vendors to train them on the devices as part of the sales process, not after they already bought the boxes. “You learn a lot more of the details of how things are actually accomplished,” McSpadden says.

Ryland also noted that right now the SSL vendors seem hungry for business and go all out to answer questions and accommodate potential buyers. “[NetScreen] and Whale were very aggressive and did an excellent job as far as customer service through the sales process,” Bartlett says.