So on yesterday's blog I linked to a story on RWW from MS AU division. But I'm looking for a more “weedy” article on remote web workplace. Why? Because I don't think there is enough technical information on the pros and cons of RWW versus VPN.
So I was emailing with Jeff Middleton about RWW versus VPN and he brought up an interesting point. The good thing about a VPN connection is that it builds a secure tunnel back to 100% of your network. The bad thing is that it builds a secure tunnel back to 100% of your network. With a VPN connection, you are at risk that the user will bring in viruses, unpatched machine connections as Jeff pointed out. As he said,
“You can't compare the difference between RWW to VPN as if they are on the same level of absolute security for the entire site, and the only risks. It's a topic that requires more depth than a yes, no answer. If you open a VPN connection, you start by default with an unrestricted, unfiltered exposure of the entire LAN, from which you have to reduce your risk. It's a huge opening to do a threat analysis from, and you rely only upon the password as your protection.
RWW flips that over. It opens a pin-hole, using SSL session to the website. You don't even need port 80. You are building up function from the narrowest of openings to the client. Your threat analysis is fixed. You look at the server exposure to the web to present RWW "at all". From there, you present limited exposure "per user", "per session". The threat analysis is pretty tightly confined to building up, not scaling back. The only major "exposure" you add to your risk is a very narrow issue of the RDP authentication not passing under encryption, though all the other client services do. It's a real issue, it's narrowed by how RWW handles that exact handshake timing, and qualification.“
As you can see, you aren't making the same kind of tunnel back to your network with a Remote Web Workplace connection. The problem is that in the documents that talk about the features and benefits of both RWW and VPN technologies, they don't talk about both the risks and advantages well enough.
Is it a risk that you will set up RWW and expose it to the web? Sure, but don't do that [Charlotte PSS Jason taught us DDT, remember?]. And if you are exposing your web site to the net [which you should first step back and evaluate risks and backup and recovery strategies on that], then make sure you put in Alan's robot exclusion file.
On a side note, I asked Ben Smith, the author of Assessing Network Security what he would take with him if he were stuck on an island with a computer....and he said the Internet and google.
Information is powerful, isn't it?