Guest

Secure Remote Access

Global Design and Engineering Firm Empowers Remote Workforce

  • Viewing Options

  • PDF (82.9 KB)
  • Feedback

Mentor Graphics uses Cisco ASA VPN Solution and MultiFactor SecureAuth to enable remote employees to work securely.

Challenge

Mentor Graphics is a leading global provider of software and services for designers of microchips and electronics components. The company provides custom solutions to help leading wireless, Internet, and computer companies build better products, more quickly.
Mentor Graphics supports thousands of engineers, sales executives, and other employees at remote offices and on-site customer locations worldwide. As a result, the company needs secure, versatile solutions to connect remote employees with the corporate network. In fact, three-quarters of the Mentor workforce use remote access at least once a month. Mentor also works with many contractors who need remote connectivity.
"The way we do product development, our employees need access to virtually everything on the network worldwide," says Case Van Horsen, network engineer for Mentor Graphics. "We also need to be able to connect outside contractors but restrict them to only those resources they require."
At the same time, the company must help ensure that remote connections are completely secure and that all remote users are properly authenticated. After all, the Mentor Graphics network hosts valuable intellectual property from its customers and the company's own solutions, which must be protected at all times.
In 2008, IT leaders at Mentor Graphics were looking to upgrade the company's VPN remote access solution to more efficiently support the nature of their workforce and business. They wanted a solution that was more flexible and easier to maintain.
"With the previous VPN solution, we had to provide every user with a physical token to authenticate with the system," says Van Horsen. "That added both costs and delays to our processes. If a sales person arrived at a hotel without a token and needed access that night, for example, there was no way to provide it. Managing the token renewal process was also cumbersome and time-consuming."
Mentor Graphics' previous VPN solution was based on IP security (IPsec) technology, which meant that all users had to have client applications installed on their PCs to use VPN. This caused other problems, due to the fact that many networks are configured to block IPsec access.
"Many times employees would be at a customer site where the IPsec clients didn't work," says Van Horsen. "Those employees would have to go back to their hotels any time they needed to download files."
Mentor Graphics' new VPN solution would have to support the company's complex mobile worker environment and user authentication requirements. They had employees using a variety of operating systems (Microsoft, Linux, Mac OS), and multiple user directories spanning a global footprint.

Solution

Mentor Graphics IT leaders wanted a new VPN solution that could provide both IPsec and SSL-based VPN connectivity. They also wanted to eliminate the use of physical tokens to authenticate users, and enable more flexibility in granting different access levels to employees and contractors. At the same time, the company needed to help ensure that the authentication process for validating remote users was just as strong as ever. Mentor Graphics found the ideal solution with a combination of the Cisco ® ASA 5500 Series Adaptive Security Appliance VPN Edition and certificate-based authentication from MultiFactor Corporation.
"When we evaluated the various remote access equipment providers, Cisco was our first choice," says Van Horsen. "The Cisco ASA VPN Solution offers excellent capabilities for client support and granular remote access, and compatibility with our existing VPN client environment. It also integrates very well with the MultiFactor SecureAuth system. That combination made it a very compelling solution."
The Cisco ASA 5500 Series VPN Edition is an industry-leading security appliance that provides intelligent, advanced VPN services and threat defense. MultiFactor's SecureAuth solution augments the Cisco platform with a versatile, certificate-based authentication mechanism that allows Mentor Graphics' IT staff to easily configure remote access for employees and contractors.
"It's too easy in the modern world for a user name and password to be stolen, so we needed a stronger way to control access," says Van Horsen. "A lot of solutions are based on security certificates on user machines, but we had to overcome some major challenges in deploying them. We have multiple authentication infrastructures and multiple operating systems in our environment. We also have several authentication scenarios depending on whether the user is an employee in a branch office, an employee who is traveling, or an external partner. Each has different authentication requirements. This was the only solution that could meet all of those needs."
In fact, the SecureAuth solution was developed specifically to address these types of complex authentication environments, as explained by Craig Lund, chief executive officer of MultiFactor.
"Our solution incorporates unique features so that no matter what kind of operating systems or security environments businesses have, we can deploy the certificate in the most secure manner possible with the Cisco ASA VPN Solution, and block any phishing or man-in-the-middle attack," he says.
The MultiFactor solution was also designed from the start to integrate with the Cisco ASA VPN Edition.
"One of the key differentiators of our product is that it literally works with the Cisco ASA platform out of the box," says Lund. "That's the biggest compliment we get: that SecureAuth blends in with the Cisco ASA platform and effectively becomes invisible. After users register the first time, they don't even realize they're using it."

"The Cisco ASA 5500 Series offers excellent capabilities for client support and granular remote access, as well as compatibility with our existing VPN client environment. It also integrates very well with the MultiFactor SecureAuth system. That combination made it a very compelling solution."

- Case Van Horsen, Network Engineer, Mentor Graphics

Results

Today, Mentor Graphics is able to support its global remote workforce more securely and efficiently than ever before. The company can grant access rights to remote users for any duration or level of access required, with virtually the entire process occurring automatically.
"The Cisco and MultiFactor solution allows us to provision remote access much more quickly, and improves the agility of our company," says Van Horsen. "For example, we recently had a request from some contractors who needed access to their files while overseas. We were able to provide them access to the specific files they needed within minutes, while protecting the rest of the network. This would not have been possible with our previous solution."
These capabilities have a direct impact on Mentor Graphics' many remote users. Employees and contractors no longer have to keep track of a physical token or deal with delays while they wait for one to be shipped. Using the Cisco AnyConnect client for SSL VPN connectivity, they can also work from customer locations where they previously would have been cut off from the Mentor Graphics network.
"The new Cisco VPN solution works in more places and is more reliable," says Van Horsen. "The client software is also easier for our employees to update, and much easier for my team to deploy."
The solution is also cost-effective, reducing the ongoing operational expense of managing worldwide remote access.
Most importantly, Mentor Graphics can continue to support its global remote workforce knowing that vital intellectual property on the network will be protected.
"Remote access is such an important part of our business strategy," says Van Horsen. "With the Cisco and MultiFactor solution, we can continue to provide that access while maintaining the strongest security."

Next Steps

In the coming months, Mentor Graphics plans to extend its secure remote access solution even more, and allow employees to connect with the corporate network over mobile devices. The Cisco ASA 5500 Series platform and MultiFactor SecureAuth solution can easily accommodate these devices, and help mobile employees work even more efficiently and productively.

Technical Implementation

The Cisco ASA 5500 Series VPN Edition allows Mentor Graphics to use the Cisco AnyConnect VPN Client to connect employees using SSL VPN, while continuing to support the existing IPsec environment. Included in the Cisco ASA 5500 Series and supporting multiple operating systems, the Cisco AnyConnect VPN Client establishes end-to-end, encrypted VPN tunnels for secure connectivity. Mentor Graphics also uses the ASA VPN Edition to provide "clientless" SSL connectivity over a standard web browser for contractors and employees who need temporary access.
With MultiFactor's SecureAuth solution, access can be assigned for as little as two hours, or up to two years. The system is completely automated, and largely self-service. For example, the first time users seek access to protected resources, they are redirected to a secure, web-based registration portal. The system verifies the requestor's identity and level of access. It then performs a secondary verification via a text message to the user's mobile phone or email account before assigning a certificate to the user's machine. The entire process happens automatically. As a result, Mentor Graphics can connect remote users with confidence, without any manual certificate or authentication processes required from the company's IT staff.

For More Information

To find out more about the Cisco ASA 5500 Series and other Cisco security solutions, visit http://www.cisco.com/go/security.
For more information about MultiFactor Corporation and the SecureAuth solution, visit http://www.multifa.com/.