The way in which companies and their users interact with the web has changed enormously in the last few years. Companies are now relying more and more on web-based applications to run their businesses, such as Salesforce, Google Apps and Microsoft Office 365.
There has been a monumental shift towards mobile devices (smartphones and tablets) and a growing trend of people working remotely and on the move. These changes bring with them new challenges for IT administrators to maintain effective web security without compromising on productivity and flexibility.
VPNs have become commonplace, with companies across the UK and around the world using them to allow their branch offices and remote workers to securely connect to corporate systems. For many they are seen as an essential element of the security of their network – ensuring that remote end points, such as laptops or remote computers, use a secure ‘tunnel’ (or, as the name says, a Virtual Private Network) to connect to the main corporate systems.
This allows remote workers – either on the road, or working from home – access to their head office desktop systems, often just as effectively as if they were physically sat in front of their office computer. It also allows easy sharing of data between small branch offices and their headquarters without needing expensive point to point connections.
But there is a hidden price to pay for this flexibility if your chosen web security service relies on proxying. Many companies use their VPNs to connect their remote or roaming users back to their corporate web proxy to provide the same level of filtering as they would have in the office.
This means that whenever any of those remote machines wants to access the web, the request goes over the VPN and via the proxy to ensure it is filtered. In practice, this means that every single web page request is sent from the remote machine, via the VPN to the corporate proxy, then to the internet, and then the page is sent back along the same route.
This extra and unnecessary traffic is consuming more and more bandwidth at head office which could be used for more useful services, such as file transfers, VoIP or video conference. Also, compared to users just going online directly, this traffic incurs packet latency – with very small amounts of time added on to the time it takes a web page to load every time the worker goes online.
This can lead to frustration and a drop in productivity as users shy away from using web based applications whilst on the move. For most companies, however, the data delays involved and extra bandwidth costs are accepted as a side effect of maintaining web security on the end points.
But there are other hidden – and not-so-hidden – issues that come from extending the web proxy service to remote users. The almost-doubling of the data carried across the VPN as all web traffic flows to the central proxy and then back out again. From the company perspective, at peak times – when internet capacity is at a premium – the additional traffic may mean it effects higher priority services such as VoIP or video conferencing which in turn can impact productivity.
The problem is manifested even further for those remote users on a 3G cellular connection, the extra overhead of the encryption/decryption of the VPN means web access can be hopelessly slow and incur a real cost in terms of data charges, especially if they are travelling internationally. With the launch of capped 4g contracts, the cost can only increase.
The proxy problem
Proxying is a powerful solution that allows IT administrators to carefully control what happens to web based traffic – allowing or disallowing different sites for example, or restricting times of day that these sites can be accessed. Unfortunately, as can be seen from the above limitations, there are a number of disadvantages that come with this approach when applied to the modern Internet and how people are engaging with it.
Proxying has been around for many years and it is at the core of almost every web security product available today. The web proxy, a middle man for handling web requests, has been a work horse for years and provided a straight forward solution in a local area network environment. But now that networks are being extended via the Internet, across many different locations, connection types and devices, it is clear that a proxy isn’t a scalable or flexible enough solution anymore.
As we have discussed, the use of web proxying increases the transaction load and traffic on the VPN – as well as impacting the experience for the remote user. In order to solve this problem, businesses have looked towards cloud based web security solutions. Whilst these services alleviate the bandwidth and processing issues from the company, they don’t entirely solve the problem of productivity and latency.
Cloud-based proxies mask the real identity of the user as they browse the web – the IP address given when they connect. The IP address is used extensively by modern web sites such as Google and online banking to check the location from where the user is browsing. If using a cloud based proxy, the user will always be identified as the proxy server IP address. This causes problems with location aware web sites, for example you will be redirected to the Google search page that is geographically closest to the proxy server, not the real person.
This can cause language issues if the proxy server is hosted in a different country altogether. Web sites also detect multiple requests from IP addresses and can shut down access if they see a huge number of attempts from the one IP. This has happened with Google Apps because of course it is seeing the IP address of the proxy rather than the IP address of each individual user. All of this can hinder productivity and cause frustration.
Cloud proxies also do not solve the latency issue completely. There is still a delay when you click a link on a web page, as the page is requested by the cloud proxy, scanned and then forwarded back to the device. On bandwidth sensitive connections such as 3G this can make using day-to-day web applications a real slog.
Proxying is also not a consideration when mobile apps are developed. App developers are from a different generation that generally do not design or test their apps with proxy servers in mind. This can lead to users not being able to use specific mobile apps at all, thus having a negative effect on the efficiency the app would otherwise have provided.
Removing the need for proxying, however, also reduces the effects of most – if not all – of the problems identified above. As well as reducing the bandwidth requirements, the user experience for all those involved can be greatly improved – pages load more quickly and web traffic flows more efficiently.
The solution to these remote transmission problems lies in the use of a technology called the Internet Content Adaptation Protocol (ICAP). When applied to a cloud environment in a client/server architecture with compatible end-point software, it provides a super fast way of controlling web access based on URL reputation. It is a unique spin on a long established protocol that traditionally was developed to offload processing from proxy servers.
Rather than sending each web page and all its content to a centralised web proxy, either directly or over a VPN, the ICAP client generates a small packet of data containing a snapshot of the web request, and the ICAP server responds with a “yes” or “no” depending on the time of day and the filtering policy that is assigned to the user.
As well as straight forward URL reputation filtering, the ICAP protocol can be used to implement virus scanning and content scanning to extend the security services available. This all takes place in the cloud therefore eliminating the bandwidth costs and hardware requirements at the customer premises.
Another key advantage to using an ICAP-based solution for remote branches and users is that location-based services simply work. This is thanks to the fact that the web browser is identified with its `real’ IP address, rather than a proxied one that may be assigned to another country entirely.
For example, if a company is headquartered in Paris, and the employees based in the UK visit the internet via the head office, they are likely to get very frustrated if they keep getting the French Google home page, or aren’t able to access local web sites (such as BBC iPlayer) because the system believes they are outside of the UK.
A good ICAP security platform can do a lot more than save time, money and bandwidth on data transmissions however, and offers organisations a much higher degree of control over what their staff get up to on the web from remote branch offices and whilst on the road in company time.
A recent report by the BBC estimated that social networking sites could be costing employers up to £130 million per day in lost man-hours. An ICAP-based business internet filtering solution can also empower the company and employer – to decide when it is acceptable to access these web sites, for example only at lunch time, after hours or not at all.
But that, as they say, is a story for another day…