AdRoll’s Global Director of IT Adrian Dunne faced several challenges when attempting to scale the company’s Internet-based VPNs. Network performance, security, and redundancy all became major issues as AdRoll grew, prompting Dunne to search for a VPN alternative.
What struck me most about AdRoll’s use case was that it was a microcosm for the issues so many enterprises face with VPN. Often, VPNs makes sense at a small scale or for one-off applications. However, as enterprises grow and networks become more complex, VPN’s shortcomings far outweigh the benefits. Like AdRoll, many modern enterprises are learning that the scalability, security, and reliability of cloud-based SD-WAN make it an ideal VPN alternative.
So, what makes SD-WAN such an attractive VPN replacement?
Use Cases for VPN
Before we dive into the shortcomings of VPN, let’s review what makes it attractive to some enterprises in the first place. Internet-based VPN gained popularity over the last decade in part as a lower-cost, albeit flawed, alternative to MPLS (Multiprotocol Label Switching). Site-to-site VPNs enable enterprises to securely connect physical locations over the public Internet by creating an encrypted connection between two on-premises appliances. The upside here was simple: public Internet bandwidth is significantly cheaper than MPLS bandwidth. For the mobile workforce, remote-access VPNs allow employees to access WAN resources from home-offices, hotels, and mobile devices using VPN client software.
Where VPN Comes Up Short
So, if VPNs can connect multiple locations securely and at a lower cost than MPLS, what are the downsides that lead to so many enterprises searching for VPN alternatives? There are quite a few, including:
With Internet-based VPN, physical or virtual appliances must be installed at each location. Not only does this increase opex, but it also adds significant complexity to network infrastructure and creates bottlenecks when provisioning new sites. Further, appliance refreshes erode the initial cost savings VPN solutions promise.
Complexity increases as you grow
Related to the issue with appliance sprawl, is the complexity of configuring tunnels at new location. As you add more locations to your network, tunnels need to be defined to each existing location. Very quickly the sheer complexity of setting up the VPN becomes too time consuming for many IT professionals.
Increased attack surface
While it is true that VPN uses secure protocols like IPsec (IP Security) and TLS (Transport Layer Security) to tunnel traffic, a lack of granular security controls can lead to unnecessary risk. For example, AdRoll users who only required access to web applications could use SSH to connect to the company’s routers.
Remote-access VPNs require client devices to connect to on-premises UTM (Unified Threat Management), firewall, or VPN appliances. Doing so can add significant latency and impact the performance of applications such as VoIP, telepresence, and video streaming. VPN appliances themselves also have limited bandwidth, which can lead to these appliances becoming WAN bottlenecks. Additionally, traffic that must traverse large geographical distances over the public Internet often experiences unacceptable latency levels.
Limited network visibility
With VPN, enterprises are often left in the dark when it comes to a large chunk of their data flows. With mobile workforces, this becomes an even bigger challenge. Often, mobile users connect directly to services like Office 365, limiting corporate oversight and auditing capabilities.
Unpredictable and unreliable service
Internet-based VPN is inherently reliant on the public Internet. With the lack of SLAs and underlying fundamental problems with Internet routing, this means enterprises that choose Internet-based VPN must sacrifice some level of service reliability.
How Cloud-Based SD-WAN Addresses VPN Challenges
With the rapid evolution of enterprise networking, enterprises are realizing that the tradeoffs associated with VPN simply aren’t worth it. A shift towards SaaS-based architectures, mobile workforces, and latency sensitive applications like UCaaS (Unified Communications as a Service) make scalable, agile, and secure WAN connectivity a must. Cato’s cloud-based SD-WAN meets these demands and addresses the shortcomings of VPN. With Cato Cloud, enterprises get:
Scalable, cloud-native infrastructure
With a converged, cloud-native network infrastructure, Cato Cloud enables enterprises to provision new sites in minutes as opposed to days and eliminates the need for the majority of on-premises appliances. Nor do IT pros need to configure tunnels between locations. All of which reduces operational expenses (opex) and brings the hyper-scalability of the cloud to the WAN.
Granular policy enforcement
A full cloud-native security stack with features like NGFW (Next-generation firewall) enables granular policy enforcement for all users and applications. Enterprises can enforce policies down to the application and user level.
Optimized WAN performance
Cato’s global private backbone addresses latency in the middle-mile. Features like active/active failover, Intelligent Last Mile Management (ILMM), and dynamic path selection help optimize WAN performance in the last-mile as well. Further, Cato’s mobile client eliminates the need for the inefficient backhauling associated with remote-access VPN. Additionally, the scalability of the cloud eliminates the issue of on-premises appliances creating a bottleneck. The result? WAN performance that far outstrips VPN. Case in point: Cato customer Paysafe found that Cato Cloud had 45% less latency than Internet-based VPN.
In-depth network visibility
The cloud-native security stack built-in to the Cato cloud enables application and user-level visibility to network data flows. This holds true for mobile users and cloud applications as well. In fact, Adrian Dunne and the AdRoll team gained deeper insight into cloud usage with Cato. According to Dunne, “Now we can see who’s connecting when and how much traffic is being sent, information that was unavailable with our previous VPN provider…correct oversight and monitoring of logs ties directly into the bigger security conversation.”
Reliable, SLA-backed performance
Cato’s private backbone is connected by multiple Tier-1 ISPs (Internet Service Providers) and backed by a 99.999% uptime guarantee. With 45+ PoPs (Points of Presence) across the globe, Cato’s backbone delivers reliable and predictable performance on a global scale. Additionally, a shared datacenter footprint with major cloud service providers enables optimal egress for cloud traffic eliminating the need for services like AWS Direct Connect.
SD-WAN Provides Enterprises with a Modern VPN Alternative
While VPN can address select small-scale WAN use cases, it simply isn’t designed to meet the demands of the modern digital business. By taking a converged, scalable, and secure approach to WAN connectivity, cloud-based SD-WAN serves as the ideal VPN alternative and enables enterprises to get the most out of their networks.