1 awayWEB: The Virtual VPN

The majority of corporate computer resources are already web-enabled, either natively or through web-access gateways. The awayWEB system combines web-based access with strong authentication and security to provide a highly secure infrastructure that enables secure remote access to corporate resources through the corporate firewall from any location on almost any platform.

1.1 The awayWEB gateway: A Firewall built for the Web

The nature of the network protocols used in web-based applications makes traditional firewall technology largely ineffective in controlling and securing access to corporate applications. Firewalls offer protection from many forms of intrusion and attack but firewalls have no real understanding of: who the users are, how they are authenticated, what privileges they have, what web applications they can access or what access constitutes a violation of policy.

To address these issues some firewall devices contain proxies, intelligent inspection, or intrusion detection systems. These mechanisms provide basic access control once users have been authenticated to the firewall. Unfortunately, once standard web encryption and security protocols are implemented, such as SSL/https, these mechanisms are unable to monitor or control access to web applications.

**Figure 1:** All intranet access must pass through the awayWEB system
$\resizebox*{0.9\textwidth}{!}{\includegraphics{fig/aw-arch-hilevel.eps}}$

The awayWEB system provides a solution to these complex issues:

The awayWEB system operates as a centralised access control and security server, through which all remote access to intranet applications must pass. (Figure 1)
The awayWEB system has a full understanding of the http protocol used for web applications and can make security decisions based on the users' privileges and the organisations security policy
The awayWEB system appears on the Internet as a standard SSL enabled web server. By entering a URL or accessing a bookmark, remote users contact the gateway as they would any other web site.
Each user must log in to the awayWEB system and then access intranet services according to the security policy defined by the organisation
All requests passing into the awayWEB system from the Internet are decrypted by the gateway for inspection and authorisation. All information passing back to the remote user is encrypted before leaving the gateway.
The awayWEB system translates all incoming requests and outgoing web pages so that there is never any requirement to make an internal server directly accessible to the Internet - the awayWEB system is the only directly connected system.