Deutsche Bank Extends Its 20,000-User VPN Using Clientless Technology

Deutsche Bank turned to an innovative technology to beef up security on its VPN by checking client systems in real time for viruses, worms, spyware and other malware.

Software from a company called WholeSecurity allowed Deutsche Bank to extend its conventional VPN, which already had more than 20,000 users, to add an additional 5,000 users over an SSL VPN.

"We're interested in SSL VPNs for a number of reasons, the most obvious ones being that they're easier to use and there's no software to install," said George Young, director of remote computing for Deutsche Bank Worldwide.

SSL VPNs, also known as clientless VPNs, work using Secure Sockets Layer (SSL) encryption, the same technology that gets used in browser-based e-commerce to transmit credit card numbers and confidential information over the Internet. The advantage to using SSL VPNs is that the technology for encrypting and decrypting SSL is already present in almost all browsers, therefore IT managers don't have to worry about installing dedicated VPN software on the client system. That reduces maintenance costs on enterprise PCs and also allows enterprises to open access to the VPN from any client -- users can log in to the VPN from Internet kiosks, PCs on client sites, or any other system with a browser that supports SSL.

"One thing that kept staring us in the face was, what about the end-point? What about the client machine?" Young said. "If we are going to allow people to use any machine from the Internet, how do we make sure that the machine itself is not infected with a Trojan or some kind of malware?"

The conventional way to do that would be to install anti-virus software or a personal firewall on the client system -- but then Deutsche Bank would be back to precisely the situation it was trying to avoid, installing and configuring software on client machines.

Deutsche Bank is using software from WholeSecurity to solve that problem. The Confidence Online software runs on a server on Deutsche Bank's corporate network. When a use accesses the SSL VPN, Confidence Online downloads a browser add-on that monitors the PC for malware. It can be set to look for specific processes running on the host system, and kill those processes. Deutsche Bank started using the WholeSecurity technology in November, and has it deployed to 5,000 users.

In addition to the SSL VPN, Deutsche Bank users a conventional IPsec "fat client" VPN using technology from Nortel and Neoteris, to connect both with home PCs and with employees using mobile devices such as the RIM BlackBerry and handheld computers running the Pocket PC operating system. The conventional, fat-client VPN has more than 20,000 users. Users can install fat-client VPN software at home, and use an SSL VPN from a remote location such as a hotel business center.

While SSL VPNs require less maintenance, the fat client VPN provides the full native ability of the software client. Many applications are still not browser-based, Young noted.

Young said he believes over time fat-client VPNs will become obsolete as the company migrates to Windows XP. Windows XP includes terminal client software that can replace fat VPN clients. Deutsche Bank is currently deploying Windows XP, but the timetable for completing that deployment has not yet been set. "I don't think IPsec VPNs are going to go away anytime soon, but I think that users will naturally gravitate toward functionality that makes it easier for users to do things and not think about it," Young aid.

The WholeSecurity technology is part of the effort to enable users to work effortlessly. "It makes security an enabling technology rather than a punitive technology," Young said. "It's something that allows you to do something, rather than restricts you from doing something. A lot of security is, 'No, you can't do that,' this security allows you to say, 'Yes.'"