Current Internet communications security is typically provided by the integration of secure transport functionality into client and server software. Two problems arise with this approach: Firstly, the use of integrated security services requires modification to the existing Internet applications, requiring re-development and re-deployment projects. Secondly, high-level security services such as authorisation are not provided by secure transport protocols, requiring applications to rely on customised (and often insecure) mechanisms for the provision of such services. We propose a platform-independent system that uses proxy applications to provide both secure transport and authorisation services transparently to existing Internet applications. We demonstrate that our approach requires no modification to existing applications, and that our security services are based on existing and widely used technologies. We discuss the merits of our architecture in the context of the intended deployment environment: an Internet-based heterogeneous private network such as an extranet or Virtual Private Network (VPN). We show that our approach achieves its goals at the expense of introducing a minor degree of performance loss into overall client–server communications, yet we maintain that this performance loss is a minor expense in relation to the advantages of the system as a whole.