I speak from a position of total ignorance on VPNs. I've never used one. :o) A friend of mine has a web application running on an Internet facing server - web front end, DB backend, username/password login, that sort of stuff. He's hoping (with justifyable optimism in my opinion) to build it into a high value service. Therefore he needs it to be secure, which at the moment it isn't - well, not beyond the basic username/password login screen. I was considering his options. The obvious one is to build a decent firewall to put in front of it and to harden the server as much as possible. But then it occurred to me that since he's going to have only a handful (a few hundred, maybe) of well paying customers, perhaps there are alternatives. May some sort of VPN is one? I'm sort of thinking of a system where a customer uses some sort of software to create a completely secure link to the application server. The idea being to prevent interceptable data flying about the Internet, and to prevent having an obvious "front door" which an attacker might start hammering on. Um, does any of this make sense? Are there any alternatives I should be looking at for him? Or is this just a case of using good old secure HTTP and being done with it?