Quad/Graphics Embraces SSL

After evaluating the risks and the alternatives, the company reached a difficult decision: It was time to replace the IPsec VPN with new technology based on SSL (Secure Sockets Layer).

Although IPsec currently is the industry's most widely deployed VPN architecture, SSL VPNs are catching on fast. San Jose, Calif.-based Infonetics Research expects SSL VPNs to nearly double in the next two years. Security concerns are the main reason why organizations are reluctant to adopt VPNs, according to a recent Infonetics study.

Slow, Steady Transfer

Quad/Graphics' move toward SSL has been gradual. So far, about 80 percent of the company's suppliers and a small number of its media clients have switched over to SSL VPN access. Using Juniper Networks' NetScreen Secure Access 3020 VPN appliances (Juniper acquired NetScreen this past spring), Quad/Graphics' suppliers gain SSL-based access to applications over the VPN, rather than tunneling a client through as a network node. This approach is safer for Quad's customers, which are accustomed to using FTP. The plan is to place all new customers on the VPN and migrate existing customers next year.

In the interim, Quad/Graphics' print customers have a choice: They can access page proofs via a conventional FTP session or the more secure way, FTPing through the SSL VPN. "They either use an FTP client or see their file share on the server," Drewek says.Quad's suppliers, which include providers of its printing presses, stitching and binding systems, use the SSL VPN to access their own applications. One supplier, for instance, accesses its maintenance apps directly through the SSL VPN, running a Windows server-based system that's part of Quad/Graphics' printing process.

"That locks them down and removes the virus risk," Drewek says.

The Also-Rans

Quad did consider IPsec-based alternatives before making the leap to SSL. For example, the company could have made its Cisco Systems-based IPsec VPN redundant, or used CSA (Cisco Secure Agent) software to verify that clients had the latest antivirus software and patches before they accessed the VPN. But because the printing company already had serious doubts about the security of IPsec, a redundant VPN didn't make sense. The hefty CSA client left too big a footprint on the company's customers and vendors, and it didn't support Mac OS, a popular operating system among Quad's graphics-oriented customers.

The NetScreen SA-3020 appliance, however, doesn't use clients. This means Quad/Graphics doesn't have to manage software on its own workstations or those of its suppliers and customers. The appliance also provides detailed logging of what users are doing when they come in through SSL."With IPsec, all you can tell is that the session is up," Drewek says. "You can't see in detail what's happening."

Quad's IT team can use the SSL log to see when a user logs on, where that user goes and whether there has been an application failure. This data is useful in analyzing traffic that runs across the company's far-flung IP backbone, which includes more than 500 Windows 2003 servers and IBM AIX database servers, plus 4,000 Windows XP workstations and Macintosh computers at 45 sites around the country.

No Java, Mac

If you're a Mac user, beware. The NetScreen SA-3020 VPN system requires the latest version of Java, which isn't supported in Mac OS 9.0 or previous releases. Unfortunately, two Quad/ Graphics customers that needed access to the printing company's applications were running OS 9. Because the Mac-based customers couldn't use the VPN, Quad's IT team had to fashion them a secure Web connection using Whale Communications' E-Gap security appliance, enabling them to authenticate to the network and get to their applications.

Mac users are left out in the cold with Juniper's NetScreen SSL-based Secure Meeting appliance, too. Quad is testing the device, an internal WebEx-style meeting package for the VPN, as a possible means of reducing its WebEx costs. But while Secure Meeting supports Mac OS, Mac users can't actually share data in a Web meeting; they can only attend a Secure Meeting as passive participants.Meanwhile, Quad/Graphics is gradually switching the rest of its customers over to the SSL VPN. But it hasn't completely retired the old IPsec VPN just yet--the IT team still can use it for managing or maintaining network nodes.

"We have some limited use for some of our support personnel," Drewek says. Damian Drewek: Director of technical services, Quad/Graphics

Damian Drewek, 38, oversees Quad/Graphics' IT infrastructure--data, voice, network administration and desktop systems. He's been at the printing company for 18 years and in IT for 19. He holds an associate's degree in computer science from Milwaukee Area Technical College and a B.S. in management from Upper Iowa University.

If I knew then what I know now: We wouldn't have been as open as we were in making the IPsec VPN available to suppliers. We were more susceptible to attacks and viruses than we ever expected. Fortunately, we were always able to avoid a major issue from attempted attacks, but every time we'd hold a debriefing on the cause of the attack, VPN was a topic.

Why IPsec isn't for everyone: You have options today, so you should do your own [technology and risk] assessment and see what fits best.Most unnerving attack: We had instantly blocked a major virus or worm outbreak, and thought we had it under control. Then we noticed it had gotten in, so we contained that. We think it came through the VPN from a laptop later that day.

What's unique about a printing business VPN: Our work flow is intimate--our process is very much a part of the customers' process and vice versa. It's crucial that we understand their process, and that they are part of our process going into production. Every job is unique, too, because every magazine is unique. We're not just cranking out widgets.

Biggest mistake made in technology circles: A lack of process and change-management procedures.

Best advice: Never stop trying to attain your goals, no matter how hard you think it will be.

Biggest bet: I don't gamble that often, but I bet $100 on the Super Bowl every year and always lose.For fun: Reading, woodworking and water skiing.

Wheels: I just bought a brand-new BMW. I've always kept cars for a long time, and I like to tinker with them. This time I wanted a new, sporty, nicer car.

When Damian Drewek first proposed moving Quad/Graphics' production groups from an IPsec VPN to an SSL VPN, they balked at the idea.

"They felt we had a solution, so why spend more money?" recalls Drewek, Quad's director of technical services. He and his IT team explained that the IPsec VPN had security flaws, and that the more secure SSL VPN would be a better fit for the company's overall business continuity and security initiative, which called for replacing IPsec VPN access. SSL is also less labor-intensive, Drewek's team maintained--unlike IPsec, there's no client software to manage.

With the bottom-up corporate culture at Quad/Graphics, IT could win approval from upper management only if it sold the production teams on the SSL approach. A VPN changeover wasn't in the company's tight IT budget."We needed to sell this to the production side," Drewek explains. "If we hadn't gotten their approval, the CIO might have put the kibosh on it, because we didn't have the budget for it." The SSL VPN would have been put on hold until next year, when it would be more of a sure thing, he says.

But Drewek and his team did convince production that SSL was the way to go, and the VPN project sailed through the approval process. Drewek won't disclose how much was budgeted to buy the Juniper Networks NetScreen Secure Access 3020 VPN appliances, but he admits the business continuity and security programs were the vehicle for getting the green light.

"These initiatives require that we provide access to our automated systems," Drewek says.

As part of its disaster-recovery and business- continuity strategy, Quad also runs a secondary data center 15 miles from its headquarters in Sussex, Wis. The additional data center operates as a load-sharing backup site, but can also take over in the event of a disaster or outage at headquarters. A pair of NetScreen SA 3020s runs at that site as well.