Secure remote access is a common feature of many of today's enterprise networks. Such access allows traveling employees (e.g., roaming salesmen) or telecommuting employees working from home to access the enterprise networks, e.g., through L3 Virtual Private Networks (VPNs). Secure remote access is also used to stitch together datacenters of a multi-site provider by using L2 VPN through commonly deployed network infrastructure, such as Secure Sockets Layer (SSL) and Internet Protocol Security (IPSec).
Secure remote access is typically provided by installing a VPN gateway on the perimeter of a network facing the Internet. The VPN gateway allows external devices/networks to connect into the enterprise internal network via a tunneling mechanism, such as SSL/DTLS or IKE/IPSec. The tunnel end points encrypt the outgoing traffic for forwarding and decrypt the incoming traffic and feed it into their respective networks. Routing and policy based forwarding (PBF) directs the relevant traffic from the internal network to the local tunnel end point for forwarding, where it is further processed using bridging or PBF to find the right tunnel to the remote network. After being authorized and gaining access to the private network, an external client has access to resources in the network like any other client that resides within the private network.
Today, not many policies are enforced on the traffic coming in from the external clients. There are various technologies today that do segmentation and security at the Application level on the end user devices. Several mobile device management (MDM) platforms (e.g., Air-Watch/iOS) require remote applications to either access all network resources via specified VPNs or maintain a public or private posture for the application based upon user identity.
However, existing platforms do not tie into the network side of the same granular profile-based access. In order to limit the access of the device to certain resources within the datacenter, existing platforms today use static firewall rules, which can become cumbersome to provision and manage apart from the rule bloat given the huge number of profiles that can possibly exist. This also does not take into account device mobility across regions and application access provisioning such as DNS names, i.e. how to serve or route different apps to different users/devices having the same URI.