Ideal Security Practice:
Employees connecting to corporate network from remote
locations. Firewall restricts access to all services, and
the
only way to get in is through VPN. This follows best
security practices.
Implementation Problem:
With the myriad of cell phones, laptops and
desktops
involved, it's a challenge to have a standard VPN solution
that fits all. Furthermore, unless your device supports
per
app VPN, you have to dial-in, which decreases
productivity. Imagine you had to dial in every time you
wanted to use company webmail. It's a pain.
Solution:
Use captive portal. Captive portal is a way to trap user's
interaction with the network resources and for every
action they do show them a login page. After they log-
in
they get full access to the network. Right now captive
portals are used for Wifi. You get on the wifi with no
password, but you're trapped to the login page until you
authenticate yourself. My idea is to use the technology
but
on the WAN. Someone accesses 22.33.44.55, instead of
letting them interact with the web app in question, you
redirect them to the secure captive portal and they stay
there until they authenticate. Once they authenticate,
their IP is allowed to access network resources for
limited
period (configurable from 1 hour to 1 year)
Comparison to VPN (Advantages)
- No VPN client software needed, works with any device
Comparison to VPN (Disadvantages)
- No encryption. But that's fine because services are
encrypted at the application layer (HTTPS, SSH, etc).