We are installing a vendor-supplied ASP.net application on IIS 7.5, giving access to sensitive customer details for remote access by our staff. I am wondering whether it is necessary to use a VPN to secure it. Using a VPN would be considerably more inconvenient for the staff and provide more access for connected clients to the rest of the network than I would like.
With no VPN, the application would be secured by HTTPS using TLS. The only part of the software that should be accessible to the web at large would be the login page. The application can be set to either use a completely built-in authentication method or Active Directory authentication via NTLM (probably preferably).
I am slightly concerned about the application's security-soundness. The developer has not had any 3rd-party penetration testing done and it appears from my investigation that passwords for the built-in authentication are stored with reversible encryption rather than hashed.
How much additional security do you think using a VPN would offer over relying on HTTPS and the application's authentication? Are the any questions I could ask the developer or ways I could test the application to check for vulnerabilities?
VPN Security Versus Plain Old TLS - Similar question that was useful, but not focused on assessing a supplied application
Both "VPN" and "HTTPS" have no inherent security. You must specify minimum security measures each takes in securing a connection. The configuration of either is a vital piece of information you'll need in order to determine which is appropriate for your situation.
So figure out what the minimum security measures you require are, say AES-128 encryption, SHA-1 integrity, and some sort of authentication (NTLM is weak; I'd suggest HTTP-DIGEST, or Kerberos if you can swing that).
Then compare that requirement to the minimum security allowed by each type of connection. HTTPS is going to be more convenient, so if it's minimums are at or above your requirement it should be used. If neither VPN nor HTTPS meet your requirements, time to reassess your requirements or the vendor's product.
The things that you are mentioning as security concerns really aren't apropos to a discussion of IPSec VPN vs. SSL.
If the vendor is using bad practices to secure their applications, they probably are skimping on other areas as well.
If you said that you were worried about your customer's having their SSL sessions hijacked, that might be an argument in favor of an IPSec vpn.
I would say, that if it can't be proven and demonstrated that the application is 100% secure from the vendor without the need for an extra layer, then go ahead and use the VPN.
You will incur the overhead of the VPN, depending on the level of encryption used, but will provide you the peace of mind.
Basically, to answer the original question. A web application can be trusted when it is shown to be.