This may sound crazy, but of all the various mobile technologies that have been released in the last several years, the one which has had the most profound impact on me is Microsoft’s ActiveSync. ActiveSync, if you aren’t familiar with it, is the protocol that Outlook uses to communicate with Exchange. Not a particularly exciting bit of technology, but the key change is that its architecture makes it easy to support remote clients to communicate with Exchange server without having to use a VPN.
Between ActiveSync, XenDesktop, and SaaS, I almost never log into a VPN which has made my workflow completely transparent to whether I’m “inside” or “out”. In fact, because my Mac defaults to picking up the open (outside only) wireless network first, I by default operate as if I were a mobile user even in those rare moments when I’m at my desk.
In essence, the perimeter to my office network has completely melted away. And I’m not alone in this experience.
Alas, the firewall market continues to roar along at a multi-$B pace which says quite another story. There is still a perimeter and it is very much defended. It’s just the definition of where that perimeter is and the role it plays is changing before our eyes. At the heart of this transformation is mobility and BYOD, a change that has left users perpetually on the outside of the network. For IT, this means a change in strategy when it comes to providing access to applications in a transparent manner.
Historically, once a user has been determined as trustworthy (implied by being on the network), they are given access to an application. Firewalls may further segment the network and provide additional security. In the new world of being always on the outside, the role of bastion hosts reemerge as being a key piece of any solution.
Bastion hosts are typically considered application level proxies with knowledge of the protocols and use cases. This allows them to provide intelligent security and switching services so that the right user can access the right resource without introducing risk. In particular, bastion hosts are expected to be highly secure themselves and handle direct contact with the Internet.
Technologies such as the NetScaler in particular, become ideally suited for the the role of a universal front-end to applications that require access without a VPN. We do this daily, at-scale, for countless ecommerce, SaaS, and XenDesktop instances already – bringing this skill to the enterprise is simply a matter of learning the right policy to make it happen. Start watching how often you have to login to the VPN… a year from now, ask yourself if you’re logging in more or less often.
Mobility is giving rise to the a completely new network perimeter. Don’t be too surprised when that perimeter looks a lot like your friendly ADC.