Little says, "We have security updates available in various platforms. Getting the staff to maintain security on these systems has been difficult."
In turn, he has taken a three-step approach to providing better security enforcement. First, access to public services is being restricted to central systems when possible. Each researcher has a virtual Web server, based on SW-Soft's Virtuoso Universal Server, that essentially runs on the central systems. This arrangement enables a researcher to configure and to manage his or her own system, but Little controls the security on those machines.
Next, each researcher's workstation gets moved to a private network when possible. These researches then use a Virtual Private Network, or VPN, which allows authenticated users to establish secure channels over the public Internet to this closed network. Little says, "The private network and VPN solution keep attackers from actually seeing a lot of the systems that aren't going to be easily maintained."
Since the researchers' systems are out of sight, the third step consisted of providing researchers with transparent access to their systems via the public Internet or a private network from anywhere in the world.
After researching the gamut of security products, Little downloaded the free trial copy of Astaro Security Linux from Astaro Corp., Burlington, Massachusetts. He bought it after four months of testing. Little says, "The- try-before-you-buy capability enabled us to see how well the product would fit into our environment." This software product, which sells for about $390 per ten users, turns an inexpensive server to an all-purpose security device capable of handling the VPN connection, the authentication, as well as providing a firewall, anti-virus protection and proxy services for Web and email.
Little runs the Astaro Security Linux on a $1,500 Dell PowerEdge 1400 server. Together these products provide the VPN which acts as a gateway onto the public Internet for as few as 50 remote users or up to as many as 1,000 remote users. The security device supports researchers' remote workstations consisting of everything from Windows 2000 XP to Mac OSX to Linux.
The security device offers VPN interfaces for both the public Internet and for the University's private network. For example, one interface connects to the logical private network overlaid on top of the public Internet for the VPN. The interface on the public Internet acts as a gateway for VPN workstations to access the private networks within Stanford.
The security device also can act as a firewall between systems on the private network and the public Internet. To get access to the public Internet, these systems must pass back and forth through the security device.
The open systems nature of a Linux security product didn't bother Little. He says, "It was a selling point for us. Because we're a university, we get nervous about products built on a proprietary operating system (OS). For example, Windows NT/2000 OS has a notorious security reputation. So, we'd have to think twice about buying a Windows-based security product."