Skip to main content
Business Applications Guidance

Types of remote access solutions


Summary

The diagram below shows a number of scenarios where you may deploy a remote access solution.

Fig 1: overview - types of remote access services

Remote access deployment scenarios

Clientless solutions

Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.

NHS clientless SSL VPN (NHS suppliers, lightweight access)

Clientless secure socket layers virtual private network (SSL VPN) lets NHS users establish a secure, remote-access VPN tunnel to an Enterprise Security appliance that can offer administrators a single point of control to assign granular access based on both the user and the device via a web browser. Users do not need a software or hardware client.

Clientless SSL VPN provides secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the internet. They include, but are not limited to:

  • internal websites
  • web-enabled applications
  • e-mail proxies, including POP3S, IMAP4S, and SMTPS
  • application access (smart tunnel or port forwarding access to other TCP-based applications)

Client-based solutions

Client applications are installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer. The client supplies access to most types of corporate resources according to the access privileges of the user.

NHS client based SSL or IPSec VPN (office, home worker and mobile remote access)

Generally described as one of the largest pros for the SSL VPN solutions. SSL is a common protocol and most web browsers have SSL capabilities built in. Therefore almost every computer in the world is already equipped with the necessary "client software" to connect to an SSL VPN.

Traditional VPNs rely on IPSec (Internet Protocol Security) to tunnel between the two endpoints. IPSec works on the network layer of the Open Systems Interconnection (OSI) model - securing all data that travels between the two endpoints without an association to any specific application. When connected on an IPSec VPN the client computer is "virtually" a full member of the corporate network - able to see and potentially access the entire network.

The majority of IPSec VPN solutions require third-party hardware and/or software. In order to access an IPSec VPN, the workstation or device in question must have an IPSec client software application installed.

Cloud based remote access

Cloud based remote access delivers a managed service via bespoke client software that provides secure VPN connectivity. The services can be tailored to provide independent access or combined access connectivity to use other business solutions such as UC and VC services. Cloud based solutions provide low cost and scalable solutions and use industry standard security protocols and processes.

However, it is vitally important to ensure that any remote cloud access solution meets the necessary NHS and government security principles. NHS IT departments should undertake a full risk evaluation of any cloud product to ensure it meets the necessary security criteria.

Cloud Security Principles

There are a number of common approaches that can be used to address several Cloud Security Principles. There are 14 CESG government principles that have been created.

Examples of some of these cloud service specific principles are:

  1. Data in transit - network protection (denying your attacker access to intercept data).
  2. Encryption (denying your attacker the ability to read data).
  3. Physical location and legal jurisdiction - for organizations wishing to offshore data, or needs agreement from Cabinet Office. 
  4. Separation between consumers - separation between different consumers of the service prevents one malicious or compromised consumer from affecting the service or data of another. Specific information related to private, community and public cloud services are all represented.

Mobile based remote access

Mobile based remote access utilises the 3G/4G mobile network infrastructure and allows end users to remotely access applications and information from a variety of devices (such as smartphone, tablets, laptops). These connections are facilitated via secure remote access processes and procedures. NHS organisations must ensure deployment of appropriate user access management (such as IPSec tunnels, Smart cards, two-factor authentication processes), and that the corporate network security infrastructure is monitored and maintained correctly so that any remote access services does not become a weak point in overall IT security.

There are some essential factors to consider when choosing remote access solutions for an NHS mobile solution in an organisation:

  1. L3 VPN tunnel vs. Secure Business portal: Is there a requirement for a full VPN tunnel to protect the access from any installed application to the NHS site, or do you need a simpler portal that provides simple and secure access for published applications?
  2. Client-based vs. clientless: Does the solution require an agent to be installed on the endpoint computer, or is it clientless, for which only a web browser is required?
  3. Secure connectivity vs. endpoint security: Does the solution provide only secure connectivity, or also additional endpoint security functionalities, when the device is not connected via a VPN tunnel to the business?

Find a full list of the cloud security principles

Last edited: 19 October 2018 2:28 pm