A common challenge in enterprise mobility projects is providing secure remote access to applications behind the firewall.
Two technologies frequently used to provide remote access are HTTP reverse proxies and full tunnel VPNs. The Atlas Platform uses a full tunnel VPN to provide remote access for enterprise apps, and often we are asked: “Why is VPN better than a reverse proxy?”
While we think VPN is the better choice, both can be viable remote access solutions, and it would be a gross oversimplification simply to claim “VPN good, proxy bad” when looking at an HTTP reverse proxy vs. full tunnel VPN and leave it at that. Let’s dive in further to see the differences.
Full Tunnel VPN
A full tunnel VPN solution is a remote access technology that’s been around in wide use for about 15 years. It’s a full encrypted tunnel from your app into the data center. Logically, it’s no different than if you were physically located at the data center or corporate office.
Full tunnel guarantees that all network traffic is encrypted, none can leak out in the clear
Full tunnel can carry any kind of IP traffic, without limitation
Can be complicated to deploy
Requires routing changes and IP address allocation for remote clients
HTTP Reverse Proxy
Reverse proxies were originally created to perform a variety of useful functions for HTTP backends, such as load balancing, IP address consolidation, caching, and SSL offloading.
They were not initially designed to be a remote access solution for mobile apps. Consequently, it should be no surprise that reverse proxies suffer from limitations as a remote access solution when compared to a purpose-built solution like VPN.
Easy to set up since it has fewer moving parts
Requires minimal changes to network architecture
You’re guaranteed to be leaking meta-data about your app
If your app uses protocols other than HTTP, it won’t work
Taking a Closer Look
Given their relative ease of deployment, it might seem that reverse proxies are a great choice for HTTP-based apps. After all, when you tap your app it will load what you need with a reverse proxy (if it only uses HTTP protocols, of course)--but at what cost?
It’s an easy solution to implement, but at the expense of your personal information being exposed.You may think you’re protected, but protecting the app’s HTTP traffic is only part of the story.
One of the first things any app will do upon launch is a DNS lookup to translate the app server’s hostname (e.g. fiori.mycompany.com) to an IP address (e.g. 172.16.18.4). These lookups do not happen over HTTP, which means they go over the network in the clear if you rely on a reverse proxy for remote access.
This means anyone sniffing radio traffic coming out of your phone will know exactly what app is running at that time, the server and company you’re working for.
Save Your Data With a VPN
Pretty scary, right? Most end-users don’t know to be afraid of the problem that comes with an HTTP reverse proxy. It seems to “just work fine” and the end user has no idea that application meta data is leaking in clear text.
On the other hand, all traffic from the full tunnel VPN, including the DNS lookup, is completely encrypted through the tunnel. Anyone trying to look at the information will see only encrypted data. No information revealed, and your activity stays safe from prying eyes.