Ideal Security Practice:
Employees connecting to corporate network from remote locations. Firewall restricts access to all services, and the only way to get in is through VPN. This follows best security practices.
Implementation Problem:
With the myriad of cell phones, laptops and desktops involved, it's a challenge to have a standard VPN solution that fits all. Furthermore, unless your device supports per app VPN, you have to dial-in, which decreases productivity. Imagine you had to dial in every time you wanted to use company webmail. It's a pain.
Solution:
Use captive portal. Captive portal is a way to trap user's interaction with the network resources and for every action they do show them a login page. After they log- in they get full access to the network. Right now captive portals are used for Wifi. You get on the wifi with no password, but you're trapped to the login page until you authenticate yourself. My idea is to use the technology but on the WAN. Someone accesses 22.33.44.55, instead of letting them interact with the web app in question, you redirect them to the secure captive portal and they stay there until they authenticate. Once they authenticate, their IP is allowed to access network resources for limited period (configurable from 1 hour to 1 year)
Comparison to VPN (Advantages) - No VPN client software needed, works with any device
Comparison to VPN (Disadvantages) - No encryption. But that's fine because services are encrypted at the application layer (HTTPS, SSH, etc). -- ixnaum, Sep 09 2014random, halfbakery