Virtual private networks (VPNs) get a bad rap these days. There are always vendors or articles explaining how they are dated and no longer fit for purpose in the third decade of the new millennium. And yet they persist.
VPNs continue to be used by organizations across the world to provide remote workers with secure access to organizational systems. But they are gradually being supplanted by other technologies. The transition will take many years, but it is ongoing.
Here are some of the top trends in the VPN maret:
1. VPN shortcomings
Organizations are becoming increasingly aware of the shortcomings of VPNs. This is a shift that has been emerging for some time.
The trend has been further exacerbated during the pandemic, when much of the world’s workforce had to transition to a work-from-home environment, virtually overnight. Problems that have continued and worsened as the work-from-anywhere concept has taken hold.
There are several drivers for a general trend away from VPNs. These include:
- Complex configuration requiring dedicated routers, ACLs, and FW policies increasing risk
- Users get a “slice of the network,” creating a lateral network attack surface
- Inbound connections create attack surfaces (e.g., distributed denial of service (DDoS))
- No ability to reduce attack surfaces with application-level segmentation
“The prevailing trend is that security and network admins are becoming increasingly aware and are coming to the end of their ropes when it comes to VPNs and the numerous issues that surround using them to connect on-premises sites, remote users and/or multicloud environments,” said Don Boxley, co-founder and CEO, DH2i.
Several alternatives to the VPN have emerged. They each have their pros and cons. Software-defined wide-area network (SD-WAN) services, for example, may work better in some cases.
“The pandemic significantly accelerated the digital transformation of many enterprises and organizations,” said Edward Qin, chief product officer at Algoblu.
“While employees chose to work from home, the old-fashioned remote access VPN starts to be replaced by more advanced SD-WAN services, which not only provide secure access to corporate resources, but also integrate many superior features, including firewall, IPS, ZTNA, DDoS, and intelligent traffic steering for SaaS applications.”
The software-defined perimeter (SDP) is another approach that is gaining ground. Almost every organization has remote users and/or third parties who need to be able to connect to cloud or on-premises applications from wherever they are — from the airport to the home office to the local coffee shop.
Traditional VPNs for remote users tend to be complex and expensive. Yet, they no longer offer the security peace of mind they once did.
“An SDP enables users to build lightweight, scalable, and secure connections between on-premises, remote, edge, and/or cloud environments across Windows and Linux as well as extend these capabilities to IoT deployments,” said Boxley with DH2i.
4. Zero Trust
The zero-trust philosophy has invaded many areas of security. So why not VPNs? This solves some of the VPN issues faced by IT administrators.
They have been coming across issues with drivers, such as printer drivers, for example, being blocked by the firewall they have protecting their network. Issues often occur, too, when an IT administrator is tasked with installing new printers or updating printers. Driver issues caused by firewalls are difficult to troubleshoot, because the symptoms of those issues don’t lead them straight to thinking about the firewall potentially being the cause of the issue.
Zero trust as a concept is a common approach to setting up a network, and relating this to how a firewall is used, an administrator can set up their firewall to block all network traffic by default, except for the ports and protocols that they specifically know are needed. When using this approach, printers may be blocked when port 9100 or port 631 and TCP is blocked. These are ports that are commonly used by printers. Instructions from the printer manufacturer can often be to turn off the firewall in order to install a printer or to troubleshoot when a printer is not working correctly. As a policy, turning off a firewall for a network is never a good idea, as any time the network is not protected by a firewall, it is open to potential attacks. It is much safer to turn on just the ports and protocols needed and otherwise leave the firewall running.
“Strengths and weaknesses of VPN technology are brought up a lot when thinking about how to use zero trust as a principal,” said Heather Paunet, SVP at Untangle.
“Some vendors have said that zero trust replaces VPN technology. However, it is important to note that zero trust is not a specific technology, but more a set of principles that are used when setting up a network to ensure that nothing is trusted and that access is not granted unless it is specifically needed.”
5. Multilayered approach
It isn’t a case then of one approach replacing the VPN. In fact, a multilayered approach is best, which may include SDP, zero trust, SD-WAN, and other tools. Even traditional VPNs may continue to play a part.
“VPNs, when not configured correctly or when not using strong cryptography, can lead to their own problems,” said Paunet with Untangle.
“However, when used correctly, especially with newer types of VPN technologies, such as WireGuard VPN, they can end up being part of a zero-trust solution.
“It is important to have a multilayered security solution and to ensure that if one layer is breached, there are multiple more layers to protect. It’s also important to segment a network, so that if any unauthorized access occurs, it is limited in how much damage could be caused to the organization that the network belongs to.”