Network processing services, such as web security services (e.g WebSense, SurfControl), mail processing services (e.g. Mailsweeper) or IM (“instant messaging”) processing services (e.g. IMLogic, Facetime) are conventionally deployed within or at the perimeter of a corporate computer network. Operating within the corporate environment has several disadvantages, including the costs associated with installation and maintenance of the service and the hardware on which it runs. If the service is to remain current and up to date, regular upgrades are often needed, adding to these burdens associated with ownership.
The costs and other disadvantages associated with locally owned and hosted services have led to a growth in managed services provide by third parties, typically hosted off-site, communicating with the corporate network via an external network, very often an unsecured external network such as the Internet. Such managed services afford a multitude of benefits to users, including no installation or maintenance costs, regularly updated/upgraded service and generally more stable and faster processors running the service.
Particularly where the managed service is being hosted remotely and communicates with the corporate network via the Internet or other public network, as is often the case, it is generally important that the system is able to ensure that it only acts on requests received from valid users of the service. Typically, therefore, when a request is received by the managed service it will authenticate the request by checking the identity of the request originator.
The authentication may, for example, be based on a simple ‘user name’ and ‘password’ approach (e.g. “http proxy username” and “http proxy password” for http requests) but this is not particularly secure and is cumbersome to operate and administer. Consequently, the prevailing approach to authenticating users of managed services is an IP lockdown approach in which requests are only accepted from specific, predefined IP addresses. This approach has the benefit of being transparent to the user so long as they are accessing the managed service from a device having a static IP address that the service recognises (as would generally be the case, for example, if they were operating from their normal business premises).
However, it is becoming increasingly common for people to work away from their business premises (e.g. at home, at a customer's premises, in hotels when travelling and at other alternate locations). In many cases, such roaming users will be accessing corporate resources remotely, for example via a VPN, via a public network in circumstances where the device they are using has a dynamically assigned, and therefore variable IP address.
It is not possible for such roaming users to directly access managed network services that rely on IP lockdown to authenticate users. If the service is to be used, they must therefore resort to more cumbersome access via their corporate network through VPN, username/password authentication or, as is normally the case, simply not have access to the managed service when they are roaming. In those cases where access to a managed service is made available to a roaming user via a VPN, it is common that the roaming users choose whether or not to use the managed service.
Where the service is, for example, a managed web security service this might seriously compromise the overall security of the corporate network as remote users, who might well be connected to the corporate network, will be more vulnerable to attack.
There are a number of further drawbacks associated with such use of conventional VPN networks, such as the large number of manual and repetitive operations expected from users, expertise expected from users, cost of maintaining VPN, etc. Finally, VPN users may often experience increased latencies in network traffic because using VPN adds an unnecessary access to the corporate network, in order to use the managed service.