Virtual Private Networks, or VPNs, have been with us ever since the ‘90s. For years VPNs have been enabling remote and mobile users to connect to their enterprise networks from the outside and to do so securely. VPNs have also been used to connect multiple branch office networks together (“site-to-site” VPN), essentially meshing multiple networks into a single network.
What has changed? Why can’t we keep on using VPNs?
1. VPNs are insecure
As users have increasingly been working from home due to the COVID-19 pandemic, hackers have been increasingly targeting their VPN connections, and finding a slew of vulnerabilities in the implementation of the world’s leading vendors. Per the US CERT team:
“Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020… Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited.“
Another issue is the disappearing perimeter. VPNs were never designed to secure our modern, highly distributed workforce. They rely on the old notion that a perimeter exists and that you can trust your internal network within this perimeter. But since users are now working from anywhere and heavily using applications in the cloud the perimeter is no longer relevant. With no perimeter to speak of, VPNs end up indiscriminately allowing traffic into the enterprise network without applying the necessary granular application-level controls.
2. VPNs are sloooooow!
Connecting from our homes or remote locations can be challenging enough, between the enterprises struggling to meet capacity, Internet connectivity issues, and our families having simultaneous zoom calls. VPNs slow down our network even more. Why is that?
First there’s encryption. VPNs encrypt your traffic. Encryption involves performing calculations for the purpose key exchange (for example, IPSEC IKE) and crunching your plaintext messages, thereby introducing latency and slowing things down.
An even more significant factor is traffic backhaul. VPNs are centralized solutions. As such, VPNs backhaul the user traffic to a ‘VPN gateway’ and then on to its final destination. This can be highly inefficient. In extreme (but not uncommon) cases, enterprises end up routing user traffic from their remote home location, through the enterprise data center, and on to a far away cloud. This is like traveling from New York to New Jersey by way of San Francisco. Finally, often overlooked are our network routing and protocols. VPNs typically use legacy Internet protocols, such as IPSEC or OpenVPN. Some more modern protocols, such as WireGuard, have come out more recently, yet hundreds of million of users are still using antiquated VPN protocols that were not designed with performance in mind. When it comes to routing, users find themselves at the mercy of the Internet. Unfortunately, the Internet was designed to find the least expensive route and not the fastest or most reliable route. Unless additional advanced network tools are put in place, a remote VPN connection may often use an inefficient route that could be long, highly congested, or unreliable.
3. VPNs are hard
Most users dislike using VPNs. VPNs are forced on us by IT, and for good reason, but they frustrate users by making their connection slower, less reliable, and requiring cumbersome manual log in. On the IT side, too, legacy VPNs require weeks or even months of work to deploy the necessary hardware and software, configure them, ensure redundancy and scale, and ultimately deploy them to end users.
So what is the future?
We are seeing four major trends across multiple areas IT. VPNs, too, will follow these same trends:
Legacy VPNs have relied on centralized hardware that had to be shipped, installed, configured, scaled, and have backup for. There is no longer a need for special hardware to implement a remote VPN connection. By using software defined networking (SDN) principles users, devices, and applications can be connected with software only. This makes appliances and truck-rolls a thing of the past and lowers complexity and cost.
Consumerization of IT
Users have come to expect a consumer experience from their enterprise products as well (take for example Dropbox or Slack). VPNs too are becoming more like their consumer VPN counterparts that allow media streaming, gaming, and other benefits, as they become more automatic and user friendly.
A move to the cloud
Moving on from legacy on-premises deployment, VPNs can now be hosted in the cloud and enable the cloud-consumption model. As a cloud service, scaling and system and building in redundancy is something you don’t need to worry about anymore given the elastic nature of the cloud.
VPNs are no longer offer sufficient security for today’s distributed workforce environment. The introduction of zero-trust principles makes VPN security more granular, allowing access only from specific users to specific applications rather than exposing the entire network to risks coming from its remote users.
VPNs are poised for a major overhaul. In fact, they may not even be called VPNs anymore. However, the need to private, efficient, secure access for our distributed workforce is here to stay, and new generation products will make it faster, easier and more secure than ever before.