VPN vs Authentication Proxy to restrict access to internal network/application
A popular new idea at the company I am working for is to remove worldwide access of web applications and restrict them to the internal network only, allowing remote users to work with them through VPN only.
As we have thousands of users, one major problem with this approach is that VPN resources have to be ramped up quite a bit to handle all of them. Also it is a problem to give new users access to this VPN so that they can start using it at all.
This brings me to the question, is VPN really more secure than having an authentication proxy which forwards (HTTPS) traffic to an internal web application (which itself is not accessible from the internet directly) after a successful authentication (only)? If yes, could someone explain why that is?
To be a little bit more precise on the goal: This measure is intended to minimize the risk of (unauthenticated) attackers compromising web applications in any form. The idea is that if they can not access it, they can not exploit possible security holes that those application might (and usually do) have.
My question is wether a simple Proxy can do as good of a job as using VPN.
PS. It is clear that none of this helps if we have an authenticated user (e.g. a phished account).
