Poor VPN Scalability Hurts Productivity and Security

Dave Greenfield
June 1, 2021

Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This has inspired companies to invest in scaling their VPN infrastructure, but this is not as easy as it sounds. VPNs are difficult to scale for a few different reasons, and this forces companies to make tradeoffs between network performance and security.

With growing support for remote work, having an unscalable and unsustainable secure remote access solution is not an option.  So how can organizations scalably and securely support their remote workforces?  We’ll answer that here.

Why VPNs scale poorly

VPNs are designed to provide privacy, not security. They lack built-in access controls and the ability to inspect traffic for malicious content. As a result, companies commonly use VPNs to backhaul remote workers’ traffic through the corporate LAN for security inspection before sending it on to its destination.

This design means that the organization’s VPN solutions, corporate network infrastructure, and perimeter-based security stack are all potential bottlenecks for a VPN-based secure remote access solution. As a result, effectively scaling VPN infrastructure requires investment in a number of areas, including:

  • VPN Infrastructure: As VPN utilization increases, a company’s VPN terminus needs to be able to support more parallel connections. Accomplishing this often requires deploying additional VPN infrastructure to meet current demands.
  • Last Mile Network Links: Network links on the corporate LAN must be capable of supporting the load caused by backhauling all network traffic for security inspection. For all traffic with destinations outside of the corporate LAN, traffic will traverse the network twice – both entering and leaving after security inspection – and network links must have the bandwidth to support this.
  • Security Systems: The use of VPN infrastructure to backhaul business traffic is designed to allow it to undergo security inspection and policy enforcement. Perimeter-based security solutions must have the capacity to process all traffic at line speeds.
  • System Redundancy: With a remote workforce, secure remote access solutions become “critical infrastructure” with high availability requirements. All systems (VPN, networking, security, etc.) must be designed with adequate redundancy and resiliency.

Acquiring, deploying, and maintaining adequate infrastructure to meet companies’ remote access needs is expensive. The limited feature set and poor scalability of VPNs contribute to a number of problems that are holding businesses back.

An unsustainable and insecure approach

The disadvantages of VPNs for businesses contribute to a number of factors that impair the usability and security of these systems, such as:

  • Degraded Performance: Because VPNs have no built-in security functionality, sending traffic through a standalone security stack is essential. This means that many organizations backhaul traffic through corporate LANs for inspection, which creates significant network latency.
  • Appliance Sprawl: The poor scalability and high availability requirements of VPN infrastructure means that organizations need to deploy multiple appliances to meet the needs of a remote workforce. This is expensive and adds complexity to the process of deploying, configuring, and maintaining these appliances.
  • Security Workarounds: The poor scalability of VPNs drives many organizations to make tradeoffs between network performance and security. A common example is backhauling traffic to the corporate network for security inspection, which incurs significant latency.
  • Network-Level Access: VPNs provide authorized users with unlimited access to the corporate network. This enables legitimate users to misuse their access and dramatically increases the risks associated with a compromised user account.

The use of enterprise VPN solutions is an unsustainable and insecure approach to implementing secure remote access. As companies plan extended or permanent support for remote work, a better solution is needed.

SASE is a scalable alternative for secure remote access

With the growth of remote work and cloud computing, companies need a secure remote access solution that is designed for the modern enterprise network. While VPNs cannot effectively scale to meet demand, the same is not true of secure access service edge (SASE).

Many of VPNs’ issues arise from two main factors: location and security. VPNs are designed to provide a secure connection to a single terminus, and they lack built-in security so that location needs to host a standalone security stack.

SASE eliminates both of these considerations. Instead of a single VPN terminus, SASE is implemented as  a worldwide network of points of presence (PoPs). With so many PoPs, business traffic can enter and leave the corporate WAN at convenient locations.

SASE also incorporates a full security stack, enabling any SASE PoP to perform security inspection and policy enforcement for the traffic passing through it. This eliminates the need to deploy standalone security stacks at each terminus or backhaul to a central location for inspection, simplifying security and eliminating unnecessary latency.

This security stack includes zero trust network access (ZTNA) – also known as software-defined perimeter (SDP) – for secure remote access. Unlike VPNs, ZTNA/SDP implements zero trust security principles, providing access to resources on a case-by-case basis. This minimizes the risk posed by a compromised user account or malicious user.

These two features make SASE a much more scalable secure remote access solution than VPNs. The decentralized nature of the SASE network means that no one location needs to carry the full load of the remote workforce’s network traffic. The network also has built-in redundancy and the ability to easily scale or expand simply by deploying a new virtualized appliance at the desired location.

Cato offers secure, scalable remote access for the distributed enterprise

Modern businesses need secure remote access solutions that protect their remote workforces without compromising security.  Cato Cloud makes it easy for employees to connect securely from anywhere to anywhere. To learn more about how to deploy high-performance secure remote access, download our free Work from Anywhere for Everyone eBook.

If you have questions about the benefits of SASE over VPNs or how Cato Cloud can work with your environment, feel free to contact us. Also, don’t hesitate to request a free demo to see Cato Cloud’s secure remote access capabilities for yourself.

 

 

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.