When Microsoft Vista and VPNs don't mix.
May 2007
About Deploying Vista: This is the first of what will be an ongoing series examining the challenges of deploying Windows Vista and the considerations that go into the decision to roll out the new OS. The series will highlight the setbacks and successes of those who are at various stages of deployment.
A vast majority of IT shops are moving slowly on Windows Vista, concerned that a company-wide deployment will lead to nightmarish compatibility problems. But for Chris Cahalin, network manager at Papa Gino's Inc. & D'Angelo Sandwich Shops, Microsoft's latest operating system is a must-have because of its much-touted security improvements.
Cahalin applied for entry into Microsoft's Vista Technology Adoption Program (TAP), which allowed participants to pick apart Vista while it was still in beta and have direct access to various engineering groups within Microsoft. His IT department was accepted into the program, pushing the Dedham, Mass.-based restaurant chain well ahead of others in adopting the latest Windows version.
The company has now moved from testing to deployment. Laptops in the organisation are the first to be getting Vista, followed by the remaining Windows devices on the network.
"We already have a district manager with Vista on his laptop, and through TAP we have a direct line to Microsoft in case of trouble," Cahalin said. "The best way to find the kinks is to use it, and these resources have really made things happen for us."
Like many early adopters, Cahalin's IT shop is experiencing the kind of compatibility issues that are typical when a new technology is deployed early. And in Papa Gino's case, the problems don't necessarily stem from bugs in Vista itself.
It didn't take long for Papa Gino's to find the biggest kink: compatibility problems between Vista and the company's VPN technology, which Cahalin deems a critical slice of the company's security program. The company uses a VPN to secure mobile machines in a business where many laptop-wielding employees travel among the company's 400 locations across New England and often get online using wireless hotspots and hotel rooms outside his IT shop's control.
Much of Cahalin's frustration is with Cisco Systems., his VPN vendor, for not being prepared for Vista's arrival. Since the VPN is so important, he is now considering other vendors.
"As far as I'm concerned, Cisco is moving too slowly on this," Cahalin said. "Everyone knew Vista was coming, and all the third-party vendors should have started addressing potential compatibility problems before it was released."
Motivators for early adoption
Cahalin pointed to Papa Gino's reliance on credit card transactions and its determination not to suffer the kind of data breach experienced by companies like TJX Cos. Inc., as the main motivator to deploy Vista early rather than wait until the first service pack.
"Any company can suffer brand damage if customer data gets out," Cahalin said. "Credit cards have been a huge boon to our business and it is our responsibility to protect the data."
The company is also bound by regulatory requirements and industry standards such as HIPAA, Sarbanes-Oxley and the Payment Card Industry's Data Security Standard (PCI DSS), all of which demand that electronically stored data is accurate and secure from online predators.
Cahalin said the security enhancements in Vista are worth the headaches he's suffered over the VPN issue. With Vista, he said, it's a lot easier to lock down individual machines and set network policies for end users. He said it's also easier to secure and connect to legacy applications with Vista. There's even an upside to one of the security features people tend to like the least: User Account Control, which is the source of those pop-up security warnings a user sees when trying to launch certain applications.
"The pop-up boxes are something users will ignore over time, and they are bound to appear most often when people are trying to use all the legacy applications," he said. "But we can get around that simply by setting the right policy. Through policy, you can tell Vista which applications are legit and which ones are not."
Like many Windows administrators, Cahalin has long disliked that Windows would give users local administrative rights, which makes it easier for attackers to take over vulnerable machines. Vista corrects that by blocking local administrative access right out of the box, he said. As for the interface layout, Cahalin admitted it takes some getting used to. Programs and options are not in the same places as they were in earlier versions of Windows. But he said it's a small price to pay given all the extra control Vista gives IT administrators over those programs.
In the final analysis, he said, Vista offers an "astounding level of security" at no cost.
Of course, not everyone agrees. John Moyer, CEO of Portsmouth, N.H.-based security vendor BeyondTrust Corp., said he's heard from a number of customers who think Vista leaves too many decisions in the hands of the end user rather than the company security department.
"Microsoft likes to say Vista is the most secure operating system yet, but the reality is that there are a lot of applications people can't use without administrative rights, and companies don't want to deal with help desk calls every time a user gets one of those confusing, disruptive dialogue boxes," Moyer said. "They also don't like it when the end user has to make a decision on what to run with administrative privileges. There's not enough transparency for the user."
The VPN dilemma
While Microsoft is bound to bear the brunt of any frustrations people have deploying Vista, whether it's the disruption caused by all the dialogue boxes or compatibility issues, Cahalin isn't the least bit upset with the software giant over the hurdles he has faced. Instead, he blames it on Cisco's lack of preparedness on the VPN front.
"The problem is that when you use Cisco you need to live on a Cisco island," he said. "It's very proprietary. The VPN connectivity has been very spotty, and it has always been a matter of Cisco properly supporting Vista."
At the heart of the VPN problem is that Papa Gino's prefers to use a Secure Sockets Layer-based VPN and Cisco hasn't finished the work necessary to make its SSL VPN compatible with Vista. As a temporary workaround, Cahalin is switching to Cisco's IPSec VPN, which was recently made Vista-compatible. But many IT professionals consider SSL VPNs more versatile than those based on IPSec, so the situation is not ideal, Cahalin said.
When told of the problems some Vista adopters have been having with the SSL VPN, a Cisco spokesman confirmed the company had fixed the issues on the IPsec side and is working to make SSL compatible. The networking giant declined to make someone from the VPN team available to offer more detail.
Cahalin is now exploring the possibility of ditching his Cisco 5510 Adaptive Security Appliance (ASA) for another VPN product from Juniper or another vendor. And Cisco isn't the only vendor he's critical of for not being prepared for Vista's arrival. Citrix has also been slow coming to the Vista table, he said, noting that the company only recently released version 10 of the Citrix Presentation Server client, which is designed for Vista compatibility.
Any company that moves ahead with a major OS upgrade is destined to run into compatibility challenges, said Pete Lindstrom, a senior analyst with Midvale, Utah-based Burton Group.
There are a number of possible reasons for Cisco's VPN-Vista issues, Lindstrom said. One of the more likely scenarios is that Cisco is taking its time because so few of its customers are actively deploying Vista at this point.
"Cisco is probably waiting to see what the Vista demand is," he said. "To the extent that not many companies are on the bleeding edge like Papa Gino's and adoption is slow in the bigger picture, Cisco may just see this as a situation where they have more time to work out the VPN problems."
Keeping third-party security
While Cahalin is thrilled with Vista's security muscle, he believes it's still necessary to have multiple layers of security from multiple sources. Cahalin notes that every desktop machine Papa Gino's has purchased since March 2005 is fitted with a trusted platform module (TPM), a chip installed on the motherboard that's used for hardware authentication. The TPM authenticates the computer, rather than the user. To do so, the module stores information specific to the host system, such as encryption keys, digital certificates and passwords.
While Microsoft took the big step of building TPM management into Vista, Cahalin said third-party vendors are still needed to implement truly effective security. He uses a Embassy Trust security suite from Wave Systems Corp. for encryption and is considering full drive encryption options from Seagate Technology. The company has also been deploying Dell laptops with fingerprint readers.
"Long, complex passwords started to get in the way of productivity so single sign-on became a must," Cahalin said.
Between his third-party security vendors and the deployment of Vista, Cahalin said he is much more confident that his company has enough protection in place to avoid a serious data security breach. If Cisco could get its SSL VPN issues figured out, all would be right with the world, he said. Whether Cisco fixes the problem or Papa Gino's goes to another VPN vendor, he said the problem would be solved sooner rather than later.
Moyer agreed third-party security tools will continue to be necessary for the sake of defense-in-depth.
"There's a standard approach to security and it's that it has to be a layered approach," he said. "If you leave all the security to Microsoft it's like leaving the fox in charge of the hen house."
AI
