Local Authorities Association Zell

Secure and economical networking between municipalities with Network Access Client and VPN ClientClients

Download PDF

Summary

Associations of local authorities are regional authorities formed for the purpose of the common good and consist of neighboring communities in the same county. The Local Authority Association Zell (Moselle) thus consists of the town of Zell (Moselle) and the local communities Alf Altlay, Altstrimmig, Blankenrath, Briedel, Bullay, Forst, Grenderich, Haserich, Hesweiler, Liesenich, Mittelstrimmig, Moritzheim, Neef, Panzweiler, PeterswaldLöffelscheid, Pünderich, Reidenhausen, Schauren, Sosberg, St. Aldegund, Tellig and Walhausen, with around 17,000 inhabitants. The Local Authority Associations fulfill, in conjunction with the local communities, public duties for the local communities. They are selfadministering and operate on their own responsibility within the framework of the Constitution and the Law.

Highest level security specifications and limited IT budgets – these two contradicting poles are typical of the situation in many towns and local authorities that are aiming to optimise their internal and external processes using networks. This delicate balancing act can work however, as the example of the Local Authorities Association in Zell (Rheinland-Pfalz, Germany) shows. The association not only includes the famous wine producing town of Zell on the river Mosel, but also a further 23 local municipalities. A VPN solution has been realised with Network Access Client and VPN Client that not only stands up to the critical judgment of the district data protection delegate, but also meets the local authorities’ implementation and operation specifications. The local authorities in the Zell Association are already benefiting from considerable increases in efficiency for recording employees’ work time, and in the future they will also be able to integrate more applications and telework jobs easily and securely.

“The data protection specifications in public administration are – quite rightly – extremely high, because this is where sensitive information is stored relating to local citizens such as tax and registration,” explains Reinhard Zimmer, the IT and Security Manager for the Local Authorities Association in Zell. “At the same time municipalities in particular must consider how best to exploit all potentials in order to optimise their processes and keep costs under control.” This objective could not be implemented satisfactorily with the existing firewall, for which the licence term was about to expire. Other model projects for local authorities failed to meet the requirements and were also not suitable for the situation in Zell. As Reinhard Zimmer explains: “The costs involved for especially hardened clients and gateways in each department would clearly exceed our authority budget. But at the same time we were also looking for functions like a client-healthcheck or the ability to manage parallel Internet connections. I was certain that there had to be something better and less expensive available on the market.”

In the end, the all-decisive tip came from CSW Customer Service based in the town of Simmern. The company had provided support in the past for the old firewall solution and as a system company, had many years of experience in the IT security area. “The solution portfolio of Barracuda Networks allows the hardware and licences to be adapted precisely to fit the real requirements of municipalities, even if these change as time goes by,” explains Henry Luschert from Barracuda Networks’ Partner company CSW. “For example, the advantages of two internet lines can be utilised without having to make investments in the largest of computers. Moreover, the security performance is beyond any doubt an important factor for municipalities that have to present their security concepts to the respective district data protection delegate for assessment– as the EAL 4+ certification rating by the BSI confirms.” These arguments convinced both Reinhard Zimmer and the Local Authorities Association in Zell. The implementation followed on soon after a short conception and test phase. The Barracuda NextGen Firewall F-Series was implemented in just one and a half weeks and includes a firewall and VPN gateway, anti-virus scanner and content filtering. All workplaces in the various branch offices were converted to give them VPN access.

The Heart of the Security: Network Access Client and VPN Client

The core element of the security infrastructure is formed by a Barracuda NextGen Firewall F-Series, which is connected via two parallel Deutsche Telekom DSL lines – one for VPN and one for web data traffic. This division was particularly important for Reinhard Zimmer: “At that time we had absolutely no experience with the access times so we just weren’t sure whether or not we would be creating a bottleneck. We therefore opted for a connection via two DSL lines in order to rule out this possibility from the outset.”

Unlike many other manufacturers, the use of several internet lines (if required also using differing connection techniques or providers) is an integral part of the Barracuda NextGen Firewall F-Series. In addition to increased performance and availability, factors such as cost optimisation and scalability also speak in favour of this option, as Henry Luschert confirms: “The Barracuda NextGen Firewall F-Series enables the use of less expensive connection techniques without having a negative impact on the availability. As a result, expensive processes, such as MPLS for example, become superfluous for municipalities in many cases. In the future the performance can also be increased flexibly by expanding the DSL capacities in order to utilise additional application scenarios."

Are you in Good Health? Client-check Prior to Access

Those responsible for security, like Reinhard Zimmer, know: The clients and not the gateways are the primary targets for attacks in a VPN network. So a focus was placed from the outset upon protecting the workplaces in the branch offices. Network Access Client and VPN Client provide comprehensive protection here in conjunction with the VPN Client Software included in the package, which way exceeded the standard. The foundation of the VPN communication between the gateway and the clients is formed by standardised IPSec connections which are optimised via a special Barracuda Networks process and patents (IPSec in UDP, TCP and SSL Encapsulation). What makes it so special? A connection to the server or to the database is only established if the client has successfully passed a so-called “health check”. Access is only possible if the Network Access Client and VPN Client decides that the client meets the defined security requirements. In this way a guarantee can be given for example that the operating systems’ patch status is up-to-date and the anti-virus or anti-spyware patterns meet the latest standards. The clients’ status can also be checked at regular intervals subsequent to the connection so that the network is protected at all times against manipulated, infected or obsolete clients. There is more, too: Reinhard Zimmer and CSW also integrated the authorisation of each individual user via OTP (One Time Password) USB Token as well. In this way remote users can only then participate in the Zell Local Authorities Associations’ services once they have registered using a “one time password” and a personal certificate at the domain’s login which has been authorised especially for them. So each VPN access includes the following elements: User certificate at the token, health check by the Network Access Client and VPN Client, OTP eToken, user authorisation (domains) and authorisation by terminal services (Office, time recording etc.). At the same time users’ network activities can be traced. “The health check in the Network Access Client and VPN Client is an important feature for the Zell Local Authorities Association which has allowed us to vastly improve the security level and set the foundations for integrating the telework stations,” says Reinhard Zimmer. “Functions like this – which are lacking in many infrastructures for comparable municipalities – confirm to us that we have made the right decision by investing in Network Access Client and VPN Client."

About Barracuda

Barracuda provides cloud-connected security and storage solutions that simplify IT. These powerful, easy-to-use, and affordable solutions are trusted by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud, and hybrid deployments. Barracuda’s customer-centric business model focuses on delivering high-value, subscription-based IT solutions that provide end-to-end network and data security. For additional information, please visit barracuda.com.

About the Barracuda NextGen Firewall F

The Barracuda NextGen Firewall F-Series is the enterprise-grade network firewall that combines comprehensive, next-generation firewall capabilities - based on application visibility and useridentity awareness - with optimal efficiency and throughput. Coordinated WAN optimization, centralized management, and cloud-hosted content filtering and reporting are just a few of the key features supporting enterprise requirements.

Barracuda NextGen Firewall F Fast Facts

  • Powerful next-generation firewall
  • Intelligent data traffic regulation and profiling
  • Central administration of all the functions
  • Integrated IDS/IPS
  • Integrated IQoS- and Link-Balancing
  • Predefined and Role Based configuration