Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:59 AM
Connect Directly

Agribusiness Ramps Up Secure VPN

James Richardson International is about to upgrade its SSL VPN security for more mobile device access and expansion of its B2B operations

SSL sometimes gets a bad rap for making VPNs more vulnerable to cross-site scripting or buffer overflow attacks. But they still typically beat out IPSec-based VPNs when it comes to convenience (no client software required) and expandability.

Take James Richardson International, which is about to upgrade to a second phase of its Secure Sockets Layer VPN. JRI, which handles and processes grain and manufactures canola-based products, hopes to leverage more mobile devices for remote access for its distributed salesforce in the U.S. and Canada. It's currently beta-testing Aventail Corp. 's ST2 SSL VPN appliances alongside its existing model 1500 appliances.

The VPN currently supports 1,000 remote users at JRI and 100 of its business partners, which range from transportation companies to grain elevators. JRI is currently awaiting Aventail's final version of the Aventail ST2 SSL VPN platform, which ships this month, to go operational with the second generation of its VPN. JRI chose the SSL VPN because there was no client software and there weren't any firewall restrictions, as with IPSec. "If you can find a computer, you can connect to JRI," says Paul Beaudry, director of tech services for JRI. "But it's not for the average home user. It's for notebook users running local apps who need a network pipe."

One of the key new security features JRI will deploy is device watermarking, which will ensure that mobile devices accessing the VPN are legit, according to Beaudry. Each mobile device gets a digital certificate, so if a JRI sales rep loses his Trio, it gets blocked from the network but he can still log onto the network with his notebook computer, which has its own cert. "In the past, we didn't leverage mobile devices on the VPN," Beaudry says. "Now with these additional controls, we're more comfortable with providing mobile devices [access]."

The new version of the VPN also will let JRI expand secure access to its business partners with its so-called "nul authentication support," with more device-level authentication using certificates. "This bypasses authentication," he says. A trucking partner's application, for example, would automatically create a tunnel via their browser to a JRI app to share its shipping data. "It has an automated process to move data to us but bypasses a human logging onto a portal page." That will help JRI expand the VPN use to its business partners, he notes.

This feature is still a "work in progress" for Aventail, he says, and it would require issuing certs to its business partners and instituting some other access control functions. JRI is running two Aventail EX-1600s in test mode alongside its 1500s. The EX-1600 is priced at $9,995.

But what about security problems with SSL? Beaudry says he's comfortable with SSL security, although there's always the threat of a hacker grabbing session keys from one of his users. "But once that session has ended, there's new session and new hashes," so the attacker would have to start all over.

"My biggest risk is a user losing his or her notebook itself and all the files on it, versus someone [unauthorized] connecting to the company with a notebook. Our business isn't retail, so we're not dealing with credit cards and Social Security numbers. We’re business-to-business, so it's a balance for our security and access."

And users only get access to the apps to which they are authorized. "The beautiful thing about the SSL VPN is it's so granular," he says. "Managers can see all the screens for their locations, and users just [see] the ones for the work they do."

Beaudry says he never seriously considered IPSec because of the client software and the fact that users couldn't just jump on the VPN from the road. JRI's network consists of Cisco Pix firewalls with Triple DES-encrypted tunnels and 10- to 100-Mbit/s pipes at its data center.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.