Remote access using VPN
There are a range of approaches to remote access that are used by government departments, large business, and smaller businesses like general practices. One approach that is cost-effective and fits the remote access needs of practices is hardware-based Virtual Private Network (VPN) technology for security, with free or proprietary remote control software, such as VNC or pcAnywhere, running inside the VPN tunnel.
This two-level approach of hardware-based VPN with remote control software running inside the tunnel has a number of benefits, including good security, moderate hardware and set-up costs, robustness, and ease of maintenance and use. The VPN can provide a temporary or permanent connection, as desired, with desktop-level access control provided through the remote control software.
I have set-up and maintained a number of these for some time now, and it is clear that the users find them simple to use and that they afford excellent security, so long as appropriate safeguards are maintained.
What I particularly like about hardware-based VPN technology from a philosophical as much as a technological viewpoint is that remote access security is independent of the PCs on either network, especially those holding the practices data. Practices so far have chosen to keep all the data at the practice, which facilitates it as being used as part of their backup solution.
How is it used?
A couple of examples of how the technology has been used follow:
The husband and wife principals of a nine GP medical centre can both log in after hours from their own PCs at home. One primarily does the checking and transmitting of Online Claiming batches and accounting for the practice, while care planning and other clinical reporting is done by both doctors. Occasional out of hours phone requests for clinical information can be satisfied very easily. Server maintenance is performed remotely at times as well.
Individual PCs at the practice are accessed through a single tunnel, with a choice of either VNC or pcAnywhere for remote control, depending on whether remote printing is desired.
A GP and his Physiotherapist wife both access their practice server. The physiotherapist mainly uses MYOB for accounting, while her husband does reporting, batching and other clinical-related recording and reports.
What VPN technology is in play?
For those not familiar with VPN technology, I will be discussing the flavour known as IPSEC VPN. Essentially, this uses a matching private key at each end of the tunnel to encrypt each packet transmitted over the Internet. It can be contrasted to solutions that use PKI, where the data inside the IP packet has been encrypted before transmission, but the packet itself is not.
The VPN packet is sometimes referred to as a superpacket, which is decryptable only at each end of the tunnel. Whilst some IPSEC VPN implementations use software at the remote end of the connection, what Im describing is an approach using VPN routers at both ends.
The VPN routers in question offer Network Address Translation (NAT), and Stateful Packet Inspection (SPI) firewalling technologies in addition to the VPN itself, so they provide protection to the whole networks at either end of the connection as well.
For more information about VPN and lots of other security technologies, have a look at the Gibson Research Corporations weekly Security Now column. Episode 17 addresses various flavours of VPN technology.
What the end-user sees
Anyone who has used any form of remote control software would be completely at home using this form of remote access. For those that havent used remote control software, try to imagine you are opening another PCs screen on your desktop and using it as if you were sitting at the remote PCs console. The users interfaces with VNC or PcAnywhere software, and the VPN itself is invisible to the end-user.
VNC remote control runs faster over ADSL, and is freeware, but PcAnywhere can allow remote printing as well. This adds flexibility for circumstances where hard copies of financial summaries, reports or care plans are needed for mailing or accounting purposes. Or even printing scripts for home/nursing home visits without returning to the practice first. For many, the extra cost of PcAnywhere may be worthwhile.
Im currently deploying $84 Linksys AG-300 ADSL modem/router/switch devices. They support IPSEC VPN and the various flavours of ADSL very well. They come with all ports configured in stealth mode and you dont need to manually touch any port settings when setting-up the VPN.
I have practices either using the AG-300, or D-Link DI‑804HV VPN routers with ADSL modems in bridge mode. One VPN connection set-up between two Division offices used an existing Linksys router with an existing Cyberguard firewall/VPN router.
Remote access using the technology outlined works adequately with ADSL 512/128 and better with faster connections. To date Ive not attempted to use VPN routers with Telstra cable. Perhaps it should stay that way, except that some potential VPN users homes may already have it.
The connected networks, even if the remote network is a solo PC, require different IP address ranges. Ping works remotely to test connections, the remote network isnt visible in network neighbourhood in Windows and the relevant IP address details and the pre-share key are needed when setting up the VPN.
VNC and PcAnywhere both use usernames/passwords for desktop security. The VPN routers do likewise for both local and remote administration, so the risks of tampering by persons with access to the remote PC are minimised. Remote administration of the routers adds flexibility, especially during the set-up stage. Re-enabling it for periods if problems, such as repeated ADSL outages are occurring, can also be very helpful.
ADSL connections with static IP addresses are great because they are very simple to set-up in the router. On the other hand, both types of routers Ive used support the use of dynamic IP addresses and this seems to work reliably as well. For practices still enjoying their Broadband for Health connections, its perfectly feasible to just use dynamic IP addressing at the remote site or a service like DynDNS.com. Both ends or one end can use DynDNS successfully.
Configuration options can be varied. The routers support multiple tunnels, which would allow connections to or from several locations. To date, the prevalent option has been the use of a single tunnel with one or more instances of remote control connections running through it. A many to many scenario is still possible.
The number of available hosts at either end of the connection may become a consideration in larger installations, where a number of simultaneous connections are desirable.
Things that end-users must and must not do
The importance of quarantining the kids from the computer used for remote access cant be stressed enough to end users. Nor is the importance of closing the remote desktop access when its not in use. The worst consequence Ive seen of not exercising enough care is the deletion of a host configuration, preventing access.
As in any business environment, good security practice is vital both at the practice and at the remote site, though the risks of a nasty going down the tunnel to the practice should be limited with this configuration.
Can practice security ever be guaranteed, or is good practice ultimately the adoption of procedures and an implementation that covers as many issues as are known?
Not actually a show-stopper but a lousy quality ADSL connection that keeps dropping out in mid-VPN session is a big pain in the butt. This is not the place to try to save a few dollars by taking up a special deal. Have a look at the Broadband Choice ISP directory and select from one of the ISPs rated highly there.
MTU (Maximum Transfer Unit the maximum size of a TCP segment/packet) issues may prevent the VPN connecting with some flavours of ADSL2+ until you reduce the MTU settings on the routers and the attached PCs. This occurs because IPSEC wraps and encrypts the packets and adds to their length, so starting with a shorter packet before this occurs can prevent you ending up with a packet whose size is too big for some part of the system. Tools like Dr. TCP make this easy on Windows PCs.
Optus cable is out. Optus dont open ports on the cable network full-stop and port 500 is blocked. Dont waste your time trying to talk them around, like Ive done.
Various brand-specific VPN implementations arent necessarily compatible. For example, the D-link VPN router and the Linksys AG-300, wont play together, alas. For a simple life, I now use the Linksys at either end.
I would like to acknowledge Paul Crewe of Talltrees Consulting, who first introduced me to this approach at a Blue Mountains IT Expo in 2004 and has subsequently given me invaluable support when learning to implement this technology.
Posted in Australian eHealth