To carry on with our how to rethink remote access series, we spoke to IT expert Paul Sillars, Managing Director at So Internet (UK). He offered some thoughts on remote access planning.
I think the day of traditional thick(ish) client VPN installs is probably dying. Most of the time was spent getting the software to the end user, getting it installed and then managing the access.
SSL VPNs (allowing access to creating the “tunnel” via HTTPS) provides a quick way to create a secure VPN, without the need to push software to the end user in the same way.
To access the VPN the user needs to load a web page, thus you have more immediate control over their access. You can also customize the login page so resources are accessible with a single click and can be changed very quickly.
Depending on the depth you want to take it, you can even control access to the network based on the software or service packs an end user has installed on their PC.
There is a lot that you can do in a web browser. We have clients accessing Remote Desktop sessions in a web browser using Java Applet that gets installed automatically.
I agree that for some apps a thin client may need to be installed but the advantage is that the security side of things is so much easier as real-time access lists can be updated an enforced.
I don’t agree that you will be back to the same point [as IPsec], I think you may be back to something similar, but much easier to manage.
Most people want access to files on a server or remote desktop/terminal services.
With many SSL VPN boxes you can create “home pages” for the user (they can also update them). This can be shortcuts to drives, shares and terminal servers.
No longer is there a need for a mapped network drive in that sense, but a clickable link. You introduce a new server; just add it to their login page.
It is also possible to map some secure pages directly through without the user even needing to look in to the SSL VPN unit. For example you have a secure CRM solution behind a firewall. You can create a URL mapping in the SSL VPN device that allows the user to login in to a URL. As they log in the user details are passed through the SSL VPN box and to the CRM solution behind the firewall giving seamless access to an application behind a firewall without the need to first load up a VPN, so now it can be used from even an internet cafe.