When Bill Vass was working at the Pentagon prior to moving to his current job as Sun’s CIO, one of his tasks was setting up a WiFi network. For months he searched for a secure, easily scalable system to meet the sensitive needs of such an organization but it wasn’t until he moved on to Sun in 2000 that Sun’s CTO John Dutra supplied him with the solution.
Instead of dealing with WEP keys, WPA-2, 802.1x and other security protocols, Dutra’s idea was simplicity itself: use an open Internet connection and a two-factor authentication scheme that opens an SSL VPN connection from anywhere the user can access the Internet.
To defend against hackers or someone launching a denial of service attack from the parking lot using Sun’s open Internet connection (not to mention illegal internal network usage), Sun uses the same Internet intrusion detection systems (IDS) they already employ on their wired network — an IDS they already pay for and have installed anyway.
“We treat the wireless architecture as if it needs to be defended as heavily as if you are on open Internet,” said Vass, “because, one, we already have that infrastructure in place to enable remote workers so we might as well leverage that to secure our wireless environment. And that way we don’t have to deal with managing WEP keys.”
Because Vass made the decision a while back to host all his employees applications and to push them out to Sun’s Sun Ray thin clients at the network edge, the idea of using SSL VPN to secure network access was made easier. All of his employees can now access their desktops via the Internet instead of being shackled to hard-wired port. But it can be done with hard-wired networks as well.
In Sun’s case, with 17,000 of its employees in it’s iWork teleworker program, a WiFi network made a lot of sense from a business perspective. Sun has been able to save $70 million-per-year in real estate costs as well as about $3 million in electricity because of their iWork program. All employees need to access their apps is a Java Badge — the second factor in the two-factor authentication scheme.
But, even without their J-Badges to open an SSL VPN session, having open Internet WiFi throughout their facilities means Vass no longer has to support a multitude of expensive and cumbersome network end-points. This also means his engineers no longer feel the need circumvent the corporate network security infrastructure by setting up their on WiFi nodes at meetings.
This is was one of the company’s biggest security headaches before installing open wireless, Vass said.
“Everybody has that problem. It’s all over,” said Vass. “If you think you don’t have that problem your dreaming. Here’s you’re choice: if you don’t do it they’ll do it anyway. They’re going out of their way to put the company at risk for a convenience at a meeting. It makes more sense just to give it to them and do it the right way.”
Open WiFi has the added benefit of enabling visitors to get online from just about anywhere. This saves them time and Sun’s employee’s headaches setting up work spaces for consultants and other outsiders, Vass said.
The next evolution of this idea is to outsource the access points, or hot spots, to a third-part provider and let them worry about keeping the network up and running.
By doing it this way, all’s Sun’s network engineers have to concern themselves with is setting up user accounts while letting the hot-spot vendor worry about helpdesk calls and maintaining the wireless infrastructure.
Overall Vass sees his program as a great success saving the company time and money, enabling happier employees that can work from anywhere, and nailing down security in a tried and true way.
“You didn’t have to run any wires, the cost of running wires, managing the ports, the cost of managing the ports … all that’s gone so you can set up an office very quickly,” said Vass. “And, because everything is encrypted with the badge, you don’t have to worry about all the wireless security. All the stuff everyone else is scratching head about right now and trying to come up with all those standards; you’ve just circumvented all that and you’re very secure in your running.”