Rethinking Enterprise Remote Access VPN Solutions: Designing Scalable VPN Connectivity

The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly – almost overnight – giving companies little time to prepare for so many people to work remotely. To keep business functioning as best as possible, enterprises need to provide secure remote connectivity to the corporate network and cloud-based resources for their remote workers.

Many companies turned to their existing VPN infrastructure, beefing up the terminating appliances in the datacenter with additional capacity to support hundreds or thousands of new work from home (WFH) users. In the early days of Coronavirus lockdowns, some countries saw a surge in VPN use that more than doubled the typical pre-pandemic demand. However, VPN infrastructure isn’t designed to support an entire workforce. As organizations contemplate an extended or even permanent switch to WFH, investing in a secure, scalable connectivity solution is essential.

Enterprise VPN Solutions are Not Designed for Distributed Workforces

VPNs are designed for point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter). Each terminating appliance has a finite capacity for simultaneous users. VPN visibility is limited when companies deploy multiple disparate appliances.

Pre-pandemic, many organizations had sufficient VPN capacity to support between 10 and 20 percent of their workforce as short-duration remote users at any given time. This supported employees temporarily working from hotels and customer sites as well as from their homes. Once the pandemic restrictions forced people to isolate at home, companies saw their VPN usage shoot up to as much as 50 to 70 percent of the workforce. It was a real challenge to quickly scale capacity because the number of required VPN links for continuous connectivity scales exponentially with the number of remote sites.

Security is a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel is not inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage.

Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.

Of further concern, VPNs themselves can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.

SASE Provides a Simpler, More Secure, Scalable Solution Compared to VPN Solutions

In mid-2019, Gartner introduced a new cloud-native architectural framework to deliver secure global connectivity to all locations and users. Gartner analysts named this architecture the Secure Access Service Edge (or SASE).

ICG's SASE platform is built as the core network and security infrastructure of the business, and not just as a remote access solution. It offers unprecedented levels of scalability, availability, and performance to all enterprise resources.

It so happens that SASE is an ideal VPN alternative. SASE offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access. There are several ways that ICG's SASE platform outperforms a traditional VPN solution.

First, the SASE service seamlessly scales to support any number of end-users globally. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) to deliver a wide range of security and networking services, including remote access, close to all locations and users.

Second, availability is inherently designed into ICG's SASE service. Each resource – a location, a user, or a cloud – establishes a tunnel to the nearest SASE PoP. Each PoP is built from multiple redundant compute nodes for local resiliency, and multiple regional PoPs dynamically back up one another. The SASE tunnel management system automatically seeks an available PoP to deliver continuous service, so the customer doesn’t have to worry about high availability design and redundancy planning.

Third, SASE PoPs are interconnected with a private backbone and closely peer with cloud providers, to ensure optimal routing from each edge to each application. This is in contrast with the use of the public Internet to connect to users to the corporate network.

Fourth, since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied. Because the SASE service is globally distributed, SASE avoids the trombone effect associated with forcing traffic to specific security choke points on the network. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies.

And lastly, ICG's SASE platform employs Zero Trust Network Architecture in granting users access to the specific resources and applications they need to use. This granular-level is part of the identity-driven approach to network access that SASE demands.

SASE is Well-Suited to Remote Work

Enterprises that enable WFH using the ICG's SASE platform can scale quickly to any number of remote users without worry. The complexity of scaling is all hidden in the ICG PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser.

Security is decentralized, located at the PoPs, which reduces the load on infrastructure in the company’s datacenter. Routing and security are integrated at this network edge. Thus, security administrators can choose to inspect business traffic and ignore personal traffic at the PoP. Moreover, traffic can be routed directly and securely to cloud infrastructure from the PoP instead of forcing it to a central datacenter first. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN.

WFH Employees Have Secure and Productive Access to the Corporate Network

While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The ICG SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.

Have time for a coffee?

Face to face or over Zoom, we are here to help you.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Read more
You might also be interested in...
Gartner Report 2021 Strategic Roadmap for SASE Convergence
Gartner Report 2021 Strategic Roadmap for SASE Convergence
Digitalization, work-from-anywhere, and cloud computing have accelerated SASE offerings to address the need for secure and optimized access, anytime, anywhere, and on any device.
Industry 4.0 – Talking About a Revolution
Industry 4.0 – Talking About a Revolution
Industry 4.0 represents the next phase of innovation in production processes, merging traditional systems with new digital technologies (IoT, AI, big data, AR, robotics, M2M, real-time analytics, and so on), facilitating automation, agility, and efficiency to create a world of smart manufacturing.
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security
For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities.
Why Remote Work and Legacy Security Architectures Don’t Mix
Why Remote Work and Legacy Security Architectures Don’t Mix
Last week, Cato Networks announced the results of the 5th annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next Leap. It was a massive undertaking that saw 2,376 participants from across the globe provide detailed insights into how their organizations responded to the COVID-19 crisis, their plans for 2021, and what they think about secure access service edge (SASE).
SD-WAN or SASE: Choose a platform rather than a product
SD-WAN or SASE: Choose a platform rather than a product
As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work at home, not in the office.
Thought SD-WAN Was What You Needed to Transform your Network? Think Again.
Thought SD-WAN Was What You Needed to Transform your Network? Think Again.
Since its premier over a decade ago, SD-WAN was adopted by enterprises as the go-to-technology for preparing their network for the digital transformation.
Secure Remote Work: Deploying Zero Trust Access
Secure Remote Work: Deploying Zero Trust Access
The global pandemic has forced knowledge workers to move out of their offices en masse to the isolated environment of their homes. Most will return to the office at some point, even if only part-time, as companies adjust to social distancing measures meant to keep employees safe.
How much does SD-WAN cost?
How much does SD-WAN cost?
Calculating the cost of SD-WAN can be complicated, especially when it comes to CAPEX vs OPEX and ambiguous ROIs. With so many vendors promising massive savings over MPLS internet connections, SD-WAN is currently been touted as one of the hottest categories in networking today. Take a closer look at the costs, considerations, potential savings and leverage the SD-WAN calculator to estimate your organisations SD-WAN cost.
Considerations for a branch office firewall
Considerations for a branch office firewall
Organisations looking for a branch office firewall upgrade, refresh or deploying firewalls to new sites, need to consider multiple different elements. Let's walk through all of the major factors to consider for a branch firewall and why organisations should consider SD-WAN, and more recently Secure Access Service Edge (SASE) as part of their next-generation of branch network security.
What is STaaS?
What is STaaS?
Storage as a service (STaaS) is a managed service model for purchasing data storage based on consumption, where a company only pays for what they use, typically on a per-GB per-month basis.
What is SD-WAN?
What is SD-WAN?
Software-Defined WAN (SD-WAN) is a networking technology that seamlessly connects branch offices, HQs cloud and data centers over broadband internet rather than MPLS leased lines.
SD-WAN vs. VPN comparison
SD-WAN vs. VPN comparison
Internet-based VPN vs MPLS was the debate for some time, WAN technology has evolved in recent years. During that time, SD-WAN has emerged as an enterprise WAN connectivity solution that provides a combination of cost efficiency, agility, and cloud-friendliness that neither MPLS nor Internet-based VPN can match.
SD-WAN vs. MPLS vs. broadband public internet
SD-WAN vs. MPLS vs. broadband public internet
To meet the needs of a global enterprise, our network architectures need to evolve as well. Which architectural approach will best serve your needs — MPLS, public internet or cloud networks?
SD-WAN vs. MPLS: Choose the best WAN solution for you
SD-WAN vs. MPLS: Choose the best WAN solution for you
You've probably heard about SD-WAN and its promise to transform enterprise networking as we know it. And, by enterprise networking we mean the use of MPLS at the core of enterprise networks. So, to SD-WAN or to MPLS? Here is what you need to consider.
Alternatives to MPLS internet
Alternatives to MPLS internet
SD-WAN is looking to address the challenges of MPLS like cost, capacity, rigidity, and manageability.
Challenges of SD-WAN security
Challenges of SD-WAN security
A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.
WAN Optimization in the SD-WAN Era
WAN Optimization in the SD-WAN Era
WAN optimization has been with us for a long time. Born alongside expensive and capacity constrained WAN connectivity, such as MPLS, WAN optimization appliances allowed organizations to squeeze more bandwidth out of thin pipes through compression, and prioritize traffic of loss-sensitive applications such as remote desktops.
History of SD-WAN
History of SD-WAN
Let's take a look at the history of WAN and as we journey from Point-to-Point, T1/T3, Frame Relay, to MPLS, and finally arrive at SD-WAN.
How to load balance multiple internet connections?
How to load balance multiple internet connections?
Internet load balancing or fail-over for multiple internet connections can seem like a tight rope walk, but it doesn't have to be. There are multiple ways to accomplish it, from point products to routers and firewalls. Let's take a look at the options and alternatives.
How does SD-WAN work?
How does SD-WAN work?
SD-WAN has quickly become the go-to technology for enterprises seeking to leverage the cloud and embrace digital transformation. Yet, much confusion still exists about what exactly is an SD-WAN, and how the technology works.
WAN Optimization vs. SD-WAN
WAN Optimization vs. SD-WAN
With the rising popularity of SD-WAN, there is a growing debate that WAN optimization is becoming obsolete. SD-WAN is gaining acceptance and for good reason. It creates an intelligent overlay of multiple transports on your WAN to efficiently and automatically route traffic over the most optimal path.
How to connect multiple branch offices?
How to connect multiple branch offices?
How do you connect multiple offices rapidly and affordably without sacrificing performance?
Last mile constraints for SD-WAN
Last mile constraints for SD-WAN
From pairing MPLS with a backup internet connection, to link-bonding for aggregate last-mile, SD-WAN introduces new ways to handle old problems, with policy-based routing, active/active links, packet loss mitigation, and quality of service (QoS).
Affordable MPLS Alternatives
Affordable MPLS Alternatives
After decades of use, enterprises are looking for MPLS alternatives. To be considered a viable alternative, a network must match MPLS’ service levels for predictability and consistency, while avoiding its pitfalls of cost, rigidity and capacity constraints.
SD-WAN vs. MPLS redundancy
SD-WAN vs. MPLS redundancy
How can SD-WAN deliver the same reliability and redundancy as MPLS when it uses the public Internet?
How does SD-WAN benefit digital transformation?
How does SD-WAN benefit digital transformation?
Digital transformation is all about agility. SD-WAN enables organisations to be more agile in multiple different ways. Such as the ability to rapidly stand-up a new site with secure internet and inter-office connectivity, without the need for additional security appliances, make policy changes across multiple sites on-the-fly, gain real-time visibility of users and connections, on-board new VPN users for remote work without worries license or connection limits.
Evolution of SD-WAN
Evolution of SD-WAN
SD-WAN has become more than just a network for connecting locations. The rise of cloud, mobile, and business agility demands has required SD-WAN to become smarter by providing security, optimization, intelligence, and better reach. These changes in SD-WAN can be broken down into three phases, reflecting the ways that SD-WAN technologies have adapted over time to the demands of business requirements.