Archive for the ‘Posts’ Category

Organizations tasked with safely connecting their employees to the corporate network are under pressure to not only accommodate various devices, but also offer multi-platform support. In fact, analysts predict  that through 2017, 90% of enterprises will have two or more mobile operating systems to manage! Adding to this pressure is the recent onslaught of Windows 8-based systems in the enterprise, which means the demand for secure remote access solutions is following suit.

Heeding this call for adaptation, NCP engineering has upgraded its enterprise IPsec VPN client suite to offer compatibility with laptops and tablets running Windows 8, in particular, its Professional and Enterprise editions. The centrally managed remote access software also supports devices using Windows 7/Vista/XP 32-/64-bit.

NCP has also added several new security benefits to its enterprise IPsec VPN client, including prompting users via warning messages if they fail to log on to hotspots without established Wi-Fi connections. When this occurs, the software solution advises users on creating suitable connection profiles, and helps them determine if alternative network selections are necessary.

The NCP Secure Enterprise Client also includes the recently added Access Point Name (APN) management feature, which eliminates the need to manually update each device’s APN when switching out SIM cards from different mobile operators. For more information on the new product version and how NCP is meeting Windows users’ evolving remote access needs, check out the full press release here.

As indicated by your feedback in several of our polls, and as highlighted at Interop New York, more and more users are opting to access their company network via various devices. Of all the devices involved in the BYOD movement, Apple iOS products are some of the most popular. In response to this demand, the NCP Secure Enterprise VPN Server now integrates with Apple’s iOS, so IT administrators can perform certificate-based authentication to control network access of iPhones and iPads.

So, how does this work? Apple’s mobile device management (MDM) distributes various certificates to all authorized iOS devicies. When users establish VPN tunnels from their devices, the NCP Secure Enterprise VPN Server uses these certificates to determine what type of device the user is accessing the network with. This enables network administrators to, for example, allow a Mac OS X notebook full access rights, while limiting iOS devices to partial access to the central network. Also, users are unable to decipher or manipulate the certificates, significantly reducing the risk of certifications being duplicated for unauthorized devices. Security is, after all, one of the biggest concerns associated with BYOD.

Ultimately, with its iOS secure authentication, NCP enables IT administrators to use certificates to control assignment rights on these end devices – without interfering with the user-determined username and passwords. Want to view the entire, official announcement? Check it out here.

The following the first in a series of excerpts from NCP engineering‘s technical white paper, Automated Mobile Security:  Leveraging Trusted Network Connect (TNC) IF-MAP to provide automated security for company networks and mobile devices.

The increasing use of mobile devices like smartphones and tablet PCs introduce new threats to enterprise IT networks. While most of the well known security programs such as desktop firewalls,  antivirus and harddrive encryption work pretty well for laptops, they are still not available for these kinds of mobile devices. The only way to keep your network secure is by providing additional security on the central IT infrastructure.

The problem is, most of today’s security systems work isolated from each other and if they offer interoperability they do so only to a limited extent, which is insufficient to counter the new threats network security faces every day. A new specification developed by the Trusted Computing Group (TCG) strives to solve this interoperability problem with the development of IF-MAP. IF-MAP provides the possibility to interconnect different IT-security systems and provide an accurate representation of the health status of your IT network. It even can automate security responses to network  threats and enforce security without the need for human interaction.
The support for IF-MAP is steadily increasing, as more and more vendors and open source products are supporting the IF-MAP technology.

Stay tuned for the next post that explains IF-MAP in more detail.

Ben Ruset is systems administrator at Princeton University. He speaks to VPN Haus about pressing provisioning issues all organizations – academic or corporate – should consider. 

VPN Haus: When dealing with employee terminations, who should own network provisioning – HR or IT?

Ben Ruset: Typically HR should notify IT and request that an account needs to be disabled/deleted. Neither department should make a unilateral decision that an account be modified without clearing it with the other. It’s all a matter of having well defined processes for business functions like this. Unfortunately many organizations forget to create or enforce them until it’s too late.

VPN Haus: Is this a process that you recommend automating?

Ruset: Well, this really is more of a human issue than a technological one. If there’s a policy in place, HR should notify IT to kill the account. Since they will manage to tell finance or the payroll company that the employee is terminated, as well as the health insurance company, they should be able to notify IT. Alternately if there’s a system like Peopleworks, or some such, there could be an automatic notice sent to IT as part of the termination workflow.

VPN Haus: Do the provisioning issues you raised also relate to student email address / account, especially with graduation and new school seasons?

Ruset: So, let me preface by saying that I’m not directly involved with provisioning accounts for students, faculty, and staff. IT at Princeton tends to be pretty compartmentalized. The most that I do is, request accounts for things like the occasional contractor or temp worker who’s setting up an application or whatnot. But I do try to keep my ears open and I do have a rough familiarity with the process at Princeton, so I can try to answer as best as I can.

The process for new students has a pretty well thought-out workflow. The OIT (Office of Information Technology) gets a list of incoming students for each year from the registrar’s office, and creates the accounts prior to the students arriving on campus. The students then go to an online form and create their passwords.

VPN Haus: What about when students graduate?

Ruset: When the student graduates, if they’re undergrads, their accounts are kept active until the following October or so. Then it’s deleted. I’m not sure if this is a process that happens automatically, or if someone at OIT has to launch a script or something that closes accounts in mass. Actually, there’s a good page in the Princeton KB about what happens to accounts upon graduation, retirement, etc:

Stay tuned, next week Ruset talks with VPN Haus about university connectivity issues.

Related Reading:

De-provisioning is Just for Former Employees, Right? Wrong!

IT departments should make the case for corporate resources

Combating Data Breaches with Provisioning

[tweetmeme source=”vpnhaus” only_single=false]

As we recently noted, as colleges move quickly to adopt new technology, IT administrators are struggling to map existing information security policy with the new solutions. In the most recent example, the University of California has stopped its 30,000 member staff-and-faculty from using a hosted version of Google’s e-mail service, Gmail. This ban comes after the university scrapped plans to roll-out a Gmail service to the entire campus.

The reason? Members of the faculty were worried that Gmail, and its social arm Buzz, aren’t secure enough to protect university content. The core issue is how to secure information once out of university networks. According to InformationWeek, UC Davis officials have also noted that “outsourcing e-mail may not be in compliance with the University of California Electronic Communications Policy.”

UC-Davis’ move follows Yale University, which put plans to switch its email provider to Google Apps for Education on hold earlier this year, pending IT review.

While the biggest problem for Yale and UC Davis is mostly around data stored on the cloud and security, both incidents illustrate the pressures on IT administrators at universities to keep up with changing tech preferences.

A topic near and dear to VPN Haus ties in quite well to this last point: how to rethink remote network access. Students are just short of demanding WiFi support for devices such the iPad and other mobile tech. Campuses are rolling out hotspots with increasing frequency to accommodate. However, policy stands in the way of progress. For the recent UC-Davis and Yale news, it seems campus policy conflicts with provider policy, which also seems to put Google on a troubled policy footing with the entire UC system.

We’ll continue to monitor how colleges handle security and networking problems that emerge around new technologies. We’d also like to hear your thoughts on this ongoing struggle and how IT admin can better serve students and faculty, especially as frustrations like this are going to continue to arise until permanent solutions are put into place.