Most large organizations today have to resort to using firewalls to protect internal communication networks from would-be hostile attackers on public communication networks such as the Internet. The firewall, in accordance with a security policy, protects resources in the private network by filtering communications destined for internal machines. The conventional security policy usually amounts to total trust of all insiders and total mistrust of outsiders, where the firewall defines the boundary. This results in a significant inconvenience for insiders who travel outside of the firewall boundary, rendering it difficult to access important information that they left inside the firewall. While such users may have a legitimate right to access the internal servers, they may not be accessible to them.
Assuming the user does not have the equipment for remote dial-up access to a machine inside the firewall, an insider with access to only a public terminal has limited options. Most protected sites allow users limited telnet or ftp access to their machines from the outside so that they can at least read their e-mail and edit files. Usually, the users are authenticated through some strong one-time password mechanism in hardware or software. On the other hand, the resources of many internal servers on an intranet are only accessible via a text-based browser such as LYNX, with no support for multimedia, executable content, helper applications and other recent browser features. Even worse, since telnet connections are usually unencrypted, the web content travels to the remote site in the clear. Moreover, many public Internet kiosks (e.g. at the airport) which have HTML browsers have no access to telnet or other such Internet services. It is possible that Virtual Private Network (VPN) technology could be used to allow access to the internal network, but current products require significant investment in cost and resources. Moreover, it is unclear whether a VPN solution is feasible for providing internal access from sites such as terminal rooms at conferences and/or Internet cafes.
At the very least, there is a need for a more lightweight solution to providing remote access that is practical, easy to use, secure, and scalable—all while leaving the firewall and local infrastructure unchanged.