Delivering Slices of Network Securely at USC
- By Dian Schaffhauser
When Richard Nelson's IT team at the University of Southern California's
Information Science's Institute (ISI
) decided to make an internally developed research administration application available to other groups on campus, it faced a unique security challenge: how to provide access to the program itself without also handing over broader access to other resources on its network.
ISI, founded in 1972 as part of the USC Viterbi School of Engineering
, is situated in Marina Del Rey, CA, about 23 miles from USC's main campus in Los Angeles. The research facility hosts a number of research areas, including natural language processing, artificial intelligence, grid computing, network security, sensor networks, hardware systems (including a chip fabrication facility), robotics, and biomedics.
The group that Nelson, the director of computing, leads at ISI primarily supports the general computing infrastructure at the institute: e-mail, business applications, networks, Web services, and desktop support. It also offers collocation services, which come in handy particularly for newly incubated companies that hatch from the research efforts.
The research groups themselves are mostly government funded through agencies such as Defense Advanced Research Projects Agency
(DARPA), National Institutes of Health
(NIH), and National Science Foundation
(NSF). They take care of hiring the technical staff they require for their specific projects.
In the year 2000, to ease the burden of administrivia for ISI and its research teams, the IT team conceived of an application that would automate the institute's financials, accounting, proposals, facilities, and billing operations. Called MyPortal, and in operation for three or four years, the system runs a set of Web services. MyPortal taps into corporate data on the university's systems for baseline information, such as how much money is in a particular account and what the year-to-date expenditures are. It integrates that with ISI's own data--project leaders, what staff people time is being charged to a given contract, when the contract was signed--to provide reporting and recordkeeping. That, in turn, is used by research teams in reporting back to the government agencies. "Here are the people working on this, here's what's spent to date, here's our progress," explained Nelson. "We're able to add that value added data and provide that in a format that the government needs."
The MyPortal system has proved interesting to other academic units on campus, said Nelson. "They may not be in a scientific discipline. But they find that, out of the box, MyPortal provides the capabilities for them to do the value-added recordkeeping they need to be successful as well." Recently, the School of Social Work
But first, ISI needed to sort out how to make the application available without opening up its entire network. "We didn't want to expose MyPortal to a public Internet interface," said Nelson. "We didn't want to allow somebody who isn't authorized and shouldn't be using MyPortal the opportunity to casually get into the system and get at data that might be sensitive for competitive or financial reasons."
Why not simply package up MyPortal as a stand-alone application and let each USC school implement it on its own server? Because first impressions are important, said Nelson. "It's a Java-based application. If I were to give them a JAR file, their developer may be able to get that Java file running, or he or she may not. They might have local customizations that apply."
To ensure a high quality of "customer experience," Nelson said, "we wanted to make sure we offered it directly to them without giving them the file." And, since ISI had made an investment in development of MyPortal, delivering it as a service would result in others at USC participating in "maintaining that investment."
Nelson and his staff evaluated a number of options for delivering a slice of its network to other groups on campus, including the use of client plug-ins to provide access control. They discarded that approach to maintain ease of use for users. "We wanted to make it as transparent as possible, which led us in the direction of an SSL VPN," said Nelson.
The secure socket layer virtual private network approach is a form of VPN that doesn't require the installation of client software on the user's computer and that can be used with a standard browser.
On the SSL VPN front, the group evaluated open source and commercial offerings. Several open source solutions were discarded because they hadn't been updated in a number of years. On the commercial side, the available options were evaluated based on requirements for both the server side and the client side. The goal, explained Nelson, was to deliver a single URL to the user and say, "Here's where you go. Don't worry about a thing. Just type in a user ID and password, and you're in."
Another level of testing involved ease of integration, particularly with the LDAP directories already in use on campus. Nelson didn't want to have to run a separate ID and password database.
A final filter for the evaluation examined how well the SSL VPN application interacted with the MyPortal suite.
"Even though they said they were a 'zero client footprint,' that all you needed was an SSL-enabled browser, it turned out that wasn't the case," said Nelson. "It would give you some kind of connectivity but wouldn't let you run this portal-based application." The problem was that the products would allow the user to point to a single IP address, as point-to-point solutions, but that was insufficient for MyPortal. "The portal server is just a front end for all the back-end things that happen. We have something that does report generation. We have databases. We have all these other things. So a web browser session might be passed among these different servers, and they have different IP addresses. All of sudden, the generic SSL VPN solution doesn't work."
At each level of evaluation, products were discarded. That is, until the team tried an Array Networks
SPX 3000 Series Universal Access Controller. The IT group met with Array to explain its needs and do a "sanity check," said Nelson. "We wanted to make sure that what we were hearing was really true."
Intrigued by what they learned, ISI arranged a purchase order to set up a 30-day evaluation period on hardware from Array. As Nelson described it, one "guy took the unit home and plugged it in to see how it would work. The product worked out of the box the way it was supposed to."
"The results were positive," said Nelson. Not only did the hardware work as advertised, but ISI was impressed by the support it received. "When we've had questions to meet our unique needs--they've made engineering staff available to us. Sometimes, the Array product is so comprehensive, it's a matter of them explaining to us how it works and how to make use of the features they have in there. Sometimes, there may be a feature that doesn't work the way we expect it to. They're able to agree with us and quickly make a modification of the code that will get the feature working the way we thought it should work."
Nelson said he paid in the "five figures" for the controller, but that the price wasn't so high that it exceeded his budget approval threshold. "I was able to make the purchase without having to go [to the CIO] and do all those types of presentations."
The controller sits between the MyPortal servers, which are fairly locked down, and the publicly accessible IP space that allows ISI's researchers to collaborate with others around the world. Its function is to protect those MyPortal servers akin to how corporate servers are secured--only allowing a certain set of users to access them. This allows access to those servers to be more restrictive, said Nelson, than the rest of the ISI infrastructure.
Now, other groups on campus are considering the use of MyPortal to address their research administration. "We don't want people to go out and spend their development dollars to use a resource that we feel might have applicability to them," Nelson said. "Lots of academic units are smaller. They have more limited resources. When they can make use of a resource without having to develop it, they can focus their limited resources on other things--it's a win for them."
Nelson compares what ISI is accomplishing to an application service provider that needs to offer services to a customer but doesn't want that customer to have access to anything other than the application they're provisioning for. "When you're budget limited and you have need for something that's going to work out of the box and will require technical expertise to get it going, Array is a really good choice," said Nelson. "It's competitively priced and the support we've gotten has been world-class.