Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:59 AM
Connect Directly

Agribusiness Ramps Up Secure VPN

James Richardson International is about to upgrade its SSL VPN security for more mobile device access and expansion of its B2B operations

SSL sometimes gets a bad rap for making VPNs more vulnerable to cross-site scripting or buffer overflow attacks. But they still typically beat out IPSec-based VPNs when it comes to convenience (no client software required) and expandability.

Take James Richardson International, which is about to upgrade to a second phase of its Secure Sockets Layer VPN. JRI, which handles and processes grain and manufactures canola-based products, hopes to leverage more mobile devices for remote access for its distributed salesforce in the U.S. and Canada. It's currently beta-testing Aventail Corp. 's ST2 SSL VPN appliances alongside its existing model 1500 appliances.

The VPN currently supports 1,000 remote users at JRI and 100 of its business partners, which range from transportation companies to grain elevators. JRI is currently awaiting Aventail's final version of the Aventail ST2 SSL VPN platform, which ships this month, to go operational with the second generation of its VPN. JRI chose the SSL VPN because there was no client software and there weren't any firewall restrictions, as with IPSec. "If you can find a computer, you can connect to JRI," says Paul Beaudry, director of tech services for JRI. "But it's not for the average home user. It's for notebook users running local apps who need a network pipe."

One of the key new security features JRI will deploy is device watermarking, which will ensure that mobile devices accessing the VPN are legit, according to Beaudry. Each mobile device gets a digital certificate, so if a JRI sales rep loses his Trio, it gets blocked from the network but he can still log onto the network with his notebook computer, which has its own cert. "In the past, we didn't leverage mobile devices on the VPN," Beaudry says. "Now with these additional controls, we're more comfortable with providing mobile devices [access]."

The new version of the VPN also will let JRI expand secure access to its business partners with its so-called "nul authentication support," with more device-level authentication using certificates. "This bypasses authentication," he says. A trucking partner's application, for example, would automatically create a tunnel via their browser to a JRI app to share its shipping data. "It has an automated process to move data to us but bypasses a human logging onto a portal page." That will help JRI expand the VPN use to its business partners, he notes.

This feature is still a "work in progress" for Aventail, he says, and it would require issuing certs to its business partners and instituting some other access control functions. JRI is running two Aventail EX-1600s in test mode alongside its 1500s. The EX-1600 is priced at $9,995.

But what about security problems with SSL? Beaudry says he's comfortable with SSL security, although there's always the threat of a hacker grabbing session keys from one of his users. "But once that session has ended, there's new session and new hashes," so the attacker would have to start all over.

"My biggest risk is a user losing his or her notebook itself and all the files on it, versus someone [unauthorized] connecting to the company with a notebook. Our business isn't retail, so we're not dealing with credit cards and Social Security numbers. We’re business-to-business, so it's a balance for our security and access."

And users only get access to the apps to which they are authorized. "The beautiful thing about the SSL VPN is it's so granular," he says. "Managers can see all the screens for their locations, and users just [see] the ones for the work they do."

Beaudry says he never seriously considered IPSec because of the client software and the fact that users couldn't just jump on the VPN from the road. JRI's network consists of Cisco Pix firewalls with Triple DES-encrypted tunnels and 10- to 100-Mbit/s pipes at its data center.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.