Silhouette Case Study:
State Department of Natural Resources
Business Problem: Need for reliable, secure remote access for warden outposts
The Challenge
A state Department of Natural Resources (DNR) needed a way to provide secure communications for wardens working from approximately 120 outposts. In many cases, the obscure location of these outposts posed network connectivity challenges. The agency’s IT department had begun to design a traditional Virtual Private Network (VPN) solution but opted to seek CDW’s feedback and assistance.
- COMPANY: Department of Natural Resources
- LOCATION: United States
- BUSINESS: Government
- SIZE: 120 Outposts across the State
- IT PROJECT: Secure Communications for Wardens
- PRODUCTS: Cisco Virtual Office (CVO), Cisco Internetwork Operating System (IOS), Cisco Security Manager (CSM), Cisco Secure Access Control Server (ACS)
- SOLUTION: Security
- RESULTS: Fewer staff, less time and money, and a secure, future-proof way to communicate.
The Solution
Having taken the time to gain a full understanding of the customer’s needs, a CDW solution architect met with IT staff to make recommendations. He quickly demonstrated how a Cisco Virtual Office (CVO) solution combined with wireless technology could better serve the DNR in a number of ways. CVO is most typically used to connect individual remote workers to a main office. But it became clear in this instance that it was the most efficient way to connect remote offices not only with DNR headquarters but also with each other. Because it had the ability to automate much of the VPN process, CVO required fewer staff and less time and money. The solution was also far more scalable for the department’s purposes.
CDW showed the DNR two other strong benefits to the CVO solution. First, the more traditional VPN approach the DNR had been considering would not have supported the addition of future applications, such as voice technology, to the network. CVO thus made the department more future-proof.
Second, CVO was far more secure. Traditional VPNs often use only pre-shared keys in which a single authentication method, such as a password, is employed by VPN endpoints. If the pre-shared key is exposed, the process of re-keying numerous sites can be quite time-consuming, cumbersome and costly. However, rather than relying wholly on a single security mechanism as the strength of the solution, CVO employs layered-identity, which combines several security mechanisms. For example, CVO uses public key infrastructure (PKI) in conjunction with AAA servers both to authenticate the VPN endpoint and to authorize it to join the network. If a remote VPN router with a valid certificate ends up in the wrong hands, the AAA server still wouldn’t be able to authorize the VPN router; with no access to the network, the router thus couldn’t be used to establish a VPN tunnel.
CVO also has the capability to authenticate the user and the corporate asset at the remote end of the tunnel. This measure validates both the proper user and machine so that CVO can grant the degree of access to network resources appropriate to that specific user.
Moreover, CVO is entirely unique in its employment of dynamic multi-point VPN (DMVPN), which supports both a partial and on-demand full mesh network topology. DMVPN allows the creation of a full-mesh VPN, in which traditional hub-and-spoke connectivity is supplemented by dynamically created IPsec tunnels directly between the spokes. With direct spoke-to-spoke tunnels, traffic between remote sites does not need to traverse the hub, thereby eliminating additional delays and conserving WAN bandwidth. While spoke-to-spoke capability is supported in a single- or multi-hub environment, multi-hub deployments provide increased spoke-to-spoke resiliency and redundancy.
Based on these important benefits, the DNR initially opted to run a pilot program, deploying CVO to about 25 sites. CDW recommended Cisco 881 and 1841 routers for the remote offices in conjunction with whatever type of internet service and connection could be obtained. The rest was simple. Knowing that remote workers would not likely have an IT staff close at hand, Cisco had designed CVO for easy implementation. Upon receiving a router, a warden or other outpost employee needed only to plug it in, open a browser and type in a URL provided on an accompanying information sheet. Doing so would authenticate the router’s required AAA credentials and initiate the provisioning process. Within approximately 10 minutes, a remote warden outpost could establish a secure VPN connection with the DNR’s network.
In order to achieve this simplicity, CDW also assisted the agency with the backend technology. The CVO solution employs Cisco Internetwork Operating System (IOS) at the remote site. IOS manages a digital certificate infrastructure and enables VPN concentration. At the DNR’s data center, a Cisco Security Manager (CSM) enables straightforward and efficient management of all devices connecting to the network. CDW’s Configuration Center pre-configures the CSM with all necessary security policies so that it’s ready to deploy to the home router. When the provisioning process begins, a profile is created in the agency’s data center on a Cisco Secure Access Control Server (ACS). This user profile includes all of the credentialing information for both the user and the device being used to connect to the network. Thereafter, without a proper match, a network connection cannot be established.
