Giving on-the-road staff secure network access | Behavioral Healthcare Executive Skip to content Skip to navigation

Giving on-the-road staff secure network access

January 1, 2008
by Terry Janis
| Reprints
The Menninger Clinic's experience with virtual private network technology

The Menninger Clinic was founded in 1925 as the first group psychiatry practice in the United States, and its innovations quickly impacted the field. The hospital has provided treatment for more than 250,000 patients from the United States and around the world.

As part of our mission, The Menninger Clinic also trains mental health professionals, shares best practices, and collaborates globally on mental health research. Thus, we are continually upgrading our information technology systems to support these efforts. Our IT system must handle the needs of dozens of traveling lecturers, remote marketing and fund-raising personnel, software application developers, and clinicians working off-site, who all must access our network resources at our campus in Houston, Texas. Consequently, it is important for us to provide these users with a simple yet secure system of remote access.

Initially, we purchased a virtual private network (VPN) solution in 2003 to provide remote access to our network. A VPN is a private network that works through a secure “tunnel” through another network, typically the public Internet; the VPN creates an encrypted, secure data pathway between two points. However, as our remote user base grew over the past few years, it became an increasing burden for our IT staff to support that solution, which didn't always provide the access our employees needed. For example, the system, based on a technology called IPSec VPN, did not ensure security compliance on the end-user's system. Users might have had a virus waiting to be unleashed or inappropriate security settings on their own systems that could jeopardize our network. Yet we had no way of enforcing security at their end, other than to have the IT staff constantly update each user's system with antivirus software and operating system patches.

In addition, the IPSec VPN provided users with a secure connection to our home network, but it did not support user-specific access controls. That meant each user had full access to the entire network unless we directed specific users to specific firewall ports and then configured those ports for specific types of access. Again, this increased our labor costs.

The IPSec VPN system also did not always allow users to access our network from particular locations. If a user was connected to another corporate network or even connecting to the network through a public Wi-Fi hot spot, the IPSec software didn't always allow the connection through any other location's firewall.

Although a newer and better remote-access technology called SSL VPN had emerged since our initial deployment of IPSec VPN, we had found it to be considerably slower, and we had never been willing to sacrifice connection performance. But in October 2006, we tested a VPN SSL solution (NeoAccel SSL VPN-Plus SGX-1200) whose performance was equal to or better than our IPSec system. As a result, we deployed two of the solution's appliances in a redundant fail-over configuration at our data center (In this setup, if the first device fails, traffic is automatically directed to the second device so that operations can continue uninterrupted).

The new VPN system addresses our previous remote-access problems in several ways.

Endpoint security compliance. The new VPN system automatically scans an end-user's device for compliance with antivirus updates and operating system settings based on policies we set. If the user's computer is not in compliance, the VPN system automatically downloads the appropriate updates to the user's computer or, if this is not possible, denies access.

User-specific access controls. The new VPN system allows us to restrict access by individual user through settings in the SSL VPN appliance. We can permit access to servers for software developers while limiting traveling lecturers or marketing personnel to specific servers or directories.

In fact, the system allows us to offer different types of access, depending on the user. We can offer basic access through a Web browser, which requires no additional software on the user's computer, or we can use either “thin” or “full” clients that provide access to specific applications on our network servers.

Thin clients provide access to only Web-enabled applications, sufficient for users who need to read or download documents. Full clients allow access to Web-enabled applications as well as provide the interface to and authentication for applications that are not Web-enabled (such as databases). This flexibility enables us to provide types of access with one system rather than having to implement and manage different products.

Access from other networks. The new VPN system provides access from a standard Web browser, so it can reach our home network from any location. Unlike the IPSec protocol, the SSL VPN's HTML protocol easily passes through any location's firewall.

Reduced management costs. The new VPN system is highly automated. Once we set security policies and access privileges for each user, user connections are tested and configured automatically each time a user logs on.

In behavioral healthcare or information technology, knowledge evolves, and the basis of all progress is continuing research. Although we initially had rejected SSL VPN technology as a solution for our remote-access challenges, we discovered through continual research that it is possible to offer our users transparent access with appropriate security and performance by choosing the right product.

Terry Janis is Director of Information Technology at The Menninger Clinic in Houston. To contact the author, call (713) 275-5024 or (281) 898-0295.