In the past, business computing was largely limited to the enterprise’s headquarters network. Every business computer was a desktop and connected directly to the network behind the organization’s firewall. This made it relatively easy to secure these machines and networks since the organization could perform traffic inspection at the network perimeter.
The modern business is not so centralized. Corporate WANs can span multiple branch locations, and remote workers and business travelers may need to access company network resources from networks not under the control of the company. Ensuring the confidentiality and security of business data requires an encrypted connection between these remote users and the headquarters network.
Virtual Private Networks (VPNs) are a common solution to implementing secure, globally distributed WANs. However, they are not a perfect solution. As networks become more complex and remote work is more common, a VPN alternative may provide a better solution to implementing a secure corporate WAN.
The case for the VPN
A VPN is a simple and effective solution for connecting a remote user to the corporate network. The remote user installs VPN client software and connects to a VPN endpoint within the company network. All traffic between the client and the server is end-to-end encrypted as it flows over the public internet. As a result, the remote user is essentially connected directly to the corporate network.
VPNs can also be used to connect the LANs of various company locations into a secure WAN. Each site deploys a VPN appliance that encrypts all outgoing traffic and routes it to its destination and decrypts all inbound traffic. Since all traffic is encrypted in transit, the end result is two networks that appear to be directly connected to one another.
Limitations of VPNs
VPNs offer a simple and intuitive solution to the main use cases of an enterprise’s global WAN. However, they also have their limitations. Among these are the complexity of VPN-based WAN architectures, the impact that VPNs have on visibility within the global WAN, and their impacts on network latency.
1. Architectural Complexity
VPNs offer a great solution for connecting two points with an encrypted, secure VPN tunnel. However, the fact that it is a point-to-point solution makes it an unscalable solution. The number of site-to-site VPN links grows exponentially with the number of sites if all sites require direct connectivity to every other site. While sites can be indirectly connected via another site, this has significant impacts on network latency and overhead on the connecting site. As a result, a fully connected, VPN-based WAN is difficult to build, monitor, and maintain.
2. Impaired Visibility
Since VPNs create encrypted, point-to-point connections between sites, they can impair visibility into an organization’s corporate WAN. Monitoring traffic within an organization’s WAN, which is crucial for protecting against lateral movement of internal threats, requires the deployment of monitoring and security infrastructure at (at least) one end of every VPN connection.
The resulting collection of point security products can be expensive to maintain and fragments visibility of the corporate WAN. As a result, the ability of the organization’s security team to rapidly detect and respond to cyber threats is degraded.
3. Increased Network Latency
VPN appliances include no built-in security functionality beyond providing end-to-end encryption of traffic flowing over the public network. Securing traffic on the corporate WAN requires routing it through standalone security solutions, like a next-generation firewall (NGFW) deployed on-site.
If at least one endpoint of the connection is inside the corporate network, this may be a workable solution. However, 96% of companies are using cloud computing, and the use of mobile devices for business purposes is growing.
When the source and destination of network traffic are outside the corporate network (i.e. mobile device users connecting to cloud-based resources), routing traffic through the headquarters network for security scanning has significant latency impacts. As a result, users may choose to connect directly to these resources, depriving organizations of visibility into this traffic.
Achieving scalable, secure networking with cloud-based SD-WAN
Point-to-point VPN connections increase the complexity of operating, maintaining, and monitoring the corporate WAN. Each connection must be individually monitored and secured, meaning that every endpoint needs to have its own security deployment or have traffic routed through another location. The tradeoff between network performance and complexity associated with VPN-based WAN deployments make cloud-based software-defined WAN (SD-WAN) a promising alternative.
A secure corporate WAN requires the ability to connect all sites and users with high-performance links with integrated security monitoring and minimal latency impacts. Cloud-based SD-WAN addresses these challenges by distributing a network of cloud-based points-of-presence (PoPs) connected with Tier-1, dedicated network links.
Each cloud-based PoP has integrated security monitoring functionality, providing organizations with complete visibility and protection of all traffic flowing over the corporate WAN. By placing PoPs in the cloud, it is possible to geographically distribute PoPs to ensure that connecting to the corporate WAN via a PoP incurs minimal latency impacts on users, regardless of their location. The use of dedicated, Tier-1 links, instead of the public Internet used by VPN-based WAN, increases the performance of the network to the point where these latency impacts are minimal or non-existent.
VPN-based corporate WANs were a viable solution for secure networking when the majority of corporate users and assets were located at company-owned sites. As this changes, with the proliferation of cloud computing and mobile devices, a VPN alternative like cloud-based SD-WAN may provide a more high-performance and secure solution.