Enterprise Mobile Device Access to Web-based Applications
There are a number of ways to provide secure access to web-based applications, but for remote access to enterprise applications, one of the most common methods in use today is SSL, typically through an SSL VPN gateway.
Many web-based applications have built-in support for SSL termination and user authentication, but the problem that this chapter addresses is access to several applications, as in a typical enterprise intranet type of scenario. In fact, SSL VPNs were first brought to market for this very purpose, consolidating multiple web-based applications into a single Internet-facing portal.
As an ever-increasing number of applications were moving to the web, the task of preparing each application for access from the Internet was increasing operational costs. SSL VPNs provided a way to simplify and consolidate. At the same time, they provided a way to provide access to third parties (partners and customers, primarily) without leveraging a full Layer 3 IPsec VPN connection onto the network.
This web-based mode of operation is sometimes referred to as a clientless VPN, acknowledging the fact that no client software needs to be installed on the endpoint device. Clientless SSL VPN functionality leverages only a web browser on the endpoint device, making it a ubiquitously available application, not only for traditional platforms, but also for a wide range of mobile devices. Clientless modes of operation on SSL VPNs remain a widely used deployment, largely due to these two key benefits:
No software is required on the endpoint device. This simple fact makes SSL VPNs a perfect choice for access from any device. An end user can use an SSL VPN to access corporate data from his home machine, a kiosk, a mobile device, or really any machine with a web browser that supports SSL.
Clientless SSL VPN solutions provide very granular control over end user access. In many implementations, web-based application access can be controlled all the way down to the individual file or URL level. So if a remote user should have access to only one particular file or application, leveraging an SSL VPN can ensure that the remote user can’t see or access any other applications in the corporate network.
How does the clientless mode of operation work? It depends on the implementation, and most vendors have developed this key intellectual property over time. For the most part, clientless SSL VPNs use something called a rewriter, which actually intermediates every request and response that goes through the SSL VPN, and modifies embedded links so that, to the outside world, the content appears to be served directly from the SSL VPN.
This rewriting capability provides granular access control and, at the same time, allows organizations to mask the details of their internal application deployments from would-be hackers. If a hacker can easily get the IP address or URL of an application server that's housed inside the network, he or she can begin to formulate a plan for attacking that server, a less-than-desirable outcome for your network.