Resiliency and adaptability are crucial attributes for enterprise networks. In the face of an unusual and business-disrupting event (whether a cyberattack or a global pandemic), organizations require network infrastructure capable of supporting operations as they work through their business continuity and disaster recovery strategies.
Virtual private networks (VPNs) are a common choice for implementing corporate WANs, but they lack many features that are required for scalable and resilient enterprise networks. Secure Access Service Edge (SASE), on the other hand, is a modern WAN technology capable of ensuring business continuity and network resiliency.
VPNs Address Common WAN Use Cases
VPNs are a common choice for implementing corporate WANs. This is because they are familiar and address the two main use cases for the corporate WAN:
Site-to-Site Links: Organizations commonly have multiple sites and infrastructure deployed off-site (such as cloud-based resources). To protect against malicious inspection or modification of network traffic, many organizations implement site-to-site VPN tunnels that create encrypted links between these sites and protect against eavesdropping.
Secure Remote Access: Employees are increasingly working from outside the corporate office. A VPN connection between a client on the employee’s machine and a VPN endpoint on the enterprise network provides secure connectivity and a user experience similar to a direct connection to the corporate network.
VPNs Are a Fragile and Unscalable WAN Solution
VPNs are probably the most common method that organizations use to implement secure network links between two sites or between a remote user and the enterprise network. However, they have a number of limitations that endanger an organization’s network usability and business continuity:
Single Points of Failure: VPNs are designed to provide point-to-point secure communications channels. This means that a single VPN endpoint on an enterprise network is likely responsible for managing all VPN traffic. Since this endpoint must be exposed to the public Internet – in order to make it accessible to remote users – it can be easily targeted by Distributed Denial of Service (DDoS) attacks designed to degrade or destroy remote users’ access to the enterprise network.
Lack of Scalability: VPNs are a point-to-point connectivity solution with each remote user or site requiring its own unique connection. This means that VPNs scale poorly as the number of remote users increases (as in the surge of telework due to COVID-19). An organization’s VPN infrastructure can easily become overwhelmed, leading to decreased network performance.
Prone to Vulnerabilities: VPN endpoints commonly contain exploitable vulnerabilities. In fact, a VPN vulnerability is at the top of the NSA’s list of the vulnerabilities most exploited by Chinese hackers. The number of VPN vulnerabilities (and the difficulty of bringing infrastructure offline to patch them) leaves VPN infrastructure exposed to cyber threats.
Short-Term Connection Focus: Most remote access VPNs are designed for periodic, short-duration connections, meaning that users need to reauthenticate regularly if a device goes to sleep or a session expires. This makes it unsuitable for long-term, frequent use (such as telework).
No Integrated Security: VPNs are designed solely to protect against eavesdroppers by providing an encrypted channel for network traffic to flow over. They include no integrated security stack. This makes an organization’s network infrastructure more complex because all VPN connections must be routed through an external security stack for security inspection.
Limited Access Control: A VPN’s access control is limited to requiring the user to authenticate to the VPN. After authentication, a user has full access to the enterprise network. Limiting this access (to minimize the potential damage and impact caused by compromised accounts) requires an external access control solution.
All of these factors contribute to the creation of an unstable, unscalable, and insecure corporate WAN. If an organization’s VPN infrastructure experiences increased load or is targeted or used in an attack, then the company’s ability to sustain operations may be degraded or completely compromised.
SASE Supports a More Robust and Resilient Corporate WAN
The limitations of VPNs stem from the fact that it was designed for a network architecture that is no longer common, where most of an organization’s systems and users were located on the enterprise network. Instead, companies are increasingly embracing cloud computing and remote work, making the need for a corporate WAN (rather than a corporate LAN) more important.
SASE provides a modern solution for implementing the corporate WAN. SASE nodes are Secure SD-WAN appliances that are deployed within the cloud. This means that they can provide optimized traffic routing between nodes (unlike VPNs’ point-to-point connections) and have a full, integrated security stack with built-in access control. The design of SASE eliminates VPNs’ single points of failure, scales easily with increased load, and is designed for persistent connectivity.
As organizations grow and evolve, their business continuity strategies and network infrastructure need to grow and evolve with them. Relying on a legacy WAN technology, such as VPN, requires organizations to accept unnecessary limitations that dramatically impact their network performance, security, and resiliency.