VPNs date back to the 1990s when the public internet lacked almost any form of security, and the technology was developed to provide secure and cost-effective connections across this insecure landscape.
VPNs have become widely deployed across enterprise networks and experienced a surge during the pandemic, when companies had to scramble to provide secure remote access to employees who were suddenly working from home.
VPNs remain popular today, but they are also slowly but surely being supplanted by more flexible, more secure, more granular alternatives, such as SD-WAN, Zero Trust Network Architecture (ZTNA), and SASE, a cloud-based service that includes SD-WAN, ZTNA and other security features.
What is a VPN?
A virtual private network (VPN) creates a connection over an insecure network (such as the public internet) that aims to be as secure and private as a connection across an internal physical network.
VPNs are most commonly used to securely connect remote workers to the enterprise network or to connect multiple remote sites to one another. Another emerging use case is to connect Internet of Things (IoT) devices to a network.
How does a VPN work?
In a typical scenario, an end user would deploy a VPN client—a software program on their computer or device—to connect to a VPN server, which manages the connection between the client’s device and network to which they’re connecting.
From the client perspective, installing a VPN is simple. MacOS, Windows, iOS, and Android come with built-in VPN clients, and other client programs with more features and options are available for free. However, these clients need to connect to a VPN server, a more complex (and expensive) tool that is generally installed by a corporate IT department.
Once that connection has been made, the end user’s computer will appear to other devices that interact with as if it’s part of that network. If there are internal fileservers or other private resources on that network, the end user will be able to access them.
If the end user tries to access resources on the public internet, their network traffic will have to travel through the private network to which they’re connected. For example, let’s say you are physically in the United States, and you use a VPN to access your company’s private network in Canada.
If you then open a web browser and start visiting various sites, that internet traffic gets routed through your company’s Canadian office, even if the servers you’re accessing are in the U.S. From the point of view of those web servers, you’ll appear to be in Canada, with an IP address assigned by your corporate network.
This can cause inefficiencies in network traffic, but there are also advantages in terms of privacy and access to restricted sites.
What is VPN tunnelling?
Network packets moving from your client computer to your corporate network travel over the open internet. While this traffic might be encrypted in some way (probably by SSL/TLS), that isn’t always the case. And the packet headers will contain routing information necessary to get them to their destination that could reveal potentially sensitive information about their target network.
This means that such connections aren’t necessarily secure, and that’s the problem that VPN tunneling aims to solve.
A VPN creates a (metaphorical) tunnel between the client and server by encrypting the network packets, including their headers, and enclosing them in other packets. The “outside” packets have headers with information explaining how they should be routed from the VPN client to the server or vice versa.
Once a packet reaches the VPN server, the server decrypts it to find the “internal” packet. That internal packet’s header has routing information for navigating through the corporate network. That’s why, from the point of view of the client and other clients on the private network, it’s as if the client is in the same building or campus.
VPN protocols: IPSec vs. SSL
While all VPNs follow the same basic pattern, there are a variety of implementations that use different underlying technologies—they can use different types of encryption, for instance, or may operate on different layers of the OSI model.
If an end user at a remote office wants to access internal enterpris resources, they would probably use an IPSec VPN. IPSec was the original protocol used for VPNs, and operates on the same OSI layer as the IP protocol. Such a connection would allow the client access to all company resources as if they were in the office, including shared drives, applications, and other assets.
The client could, on the other hand, use an SSL VPN, which instead operates on the transport layer. Such a VPN typically provides connectivity to a single application, rather than the entire internal network. These VPNs can be built into web browsers and used to access a corporate intranet.
SSL VPNs have become increasingly popular because the SSL protocol requires fewer compute resources and gives IT more control over what remote users can or cannot see. Limiting access to a specific set of applications can protect the organization in the event the user’s device is breached. There are a number of other VPN protocols, some of which are open standards and others proprietary.
What are the benefits of a VPN?
A VPN can provide a secure connection across the open internet to resources that need to be accessed beyond the abilities of standard internet protocols. If you need remote access to sensitive files or other resources, a VPN can be one of the best tools to do it. A VPN also makes remote computers behave (from a network perspective) like equal partners on an internal network.
In fact, a VPN can also make separate private networks act as if they’re one network, by using the same techniques to combine two or more networks rather than one computer to one network.
Another use for VPNs is to boost privacy. In our scenario where an American VPN client connects to their Canadian office and acquires a Canadian IP address, that client can browse the network with their real location obfuscated.
This can help users cover their tracks online, and get around access restrictions imposed by governments. It can also allow users to access content that may be banned or blocked in their locale.
Can I use VPNs for free?
If you’re using a VPN to connect to a corporate network, you can generally do so without any cost, since your employer will have set up the server that you’ll be connecting to. But what if you want to use a VPN for its security or locale-obfuscation qualities, but don’t have a server to connect to? There are a variety of commercial VPN services out there that cater to such needs.
Some are free of charge, but they tend to make money either by bombarding you with intrusive ads or by selling your browsing data—infringing upon the very privacy you’re seeking to protect. Instead, check out trusted paid services, many of which offer free trials and reasonable prices.
What are the types of VPN?
The two main categories are remote access VPNs, which connect individual devices to a private network, and point-to-point VPNs, which connect networks to one another.
Remote-access VPNs are the most common type. They allow users to access company resources even when they are not directly connected to the corporate network. Remote access VPNs are typically temporary connections that are shut off when users have completed whatever task they were working on.
The secure tunnel between the user’s endpoint and the private network is established via some sort of authentication – passwords, tokens, biometric identification. Sometimes usernames and passwords are embedded in VPN software located on the user’s endpoint to make connecting easy for the user, but there’s always some form of authentication.
Pros: The upside of using remote-access VPNs is that workers can connect to any company resource regardless of where they are and without a dedicated physical circuit. This reduces costs, but also enables connectivity where it wasn’t possible before.
Cons: The downside of remote access via VPN is that performance can vary greatly depending on a number of factors. These include the internet service or encryption method being used, or the endpoint the user is connecting from. For example, a worker connecting via residential fiber is likely to have significantly better performance than when establishing a VPN session from a hotel over shared Wi-Fi. Unfortunately, these issues are often well beyond the control of the company’s IT department.
Any corporate service can be accessed via a remote-access VPN, and most will run just fine. But applications that consume large amounts of bandwidth, such as video, or have low-latency requirements, like voice over IP (VoIP), may perform erratically.
Site-to-site VPNs connect locations, typically branch offices, to the company network. With site-to-site VPNs, the connections are established and terminated on a networking device, most commonly a router, firewall, or dedicated VPN appliance, but not on end-user devices such as laptops and desktops.
One reason to implement site-to-site VPNs is similar to the reason network professionals implement remote access VPNs: it’s too expensive or impractical to connect the site with a dedicated leased line.
Consider a US-based consulting firm that decides to open a remote office in Japan with three people in it that need to access a shared file server, e-mail, and other company resources. In this case, the network demands aren’t that high, so a dedicated connection does not make sense. The company can purchase a local internet connection and create an internet-based VPN that connects the two locations, saving literally thousands of dollars per month.
Site-to-site MPLS VPNs
Site-to-site MPLS VPNs may be complex to set up and lack agility. Making changes can be very challenging and application performance can be erratic depending on network congestion and other factors.
To overcome those challenges, you may want a site-to-site VPN that connects via a carrier-provided MPLS cloud instead of the public internet, offloading establishment of the VPN connections to the provider. The service provider creates virtual connections between sites across its MPLS network.
The primary advantages of this type of VPN are network agility and the ability to mesh the networks. In a typical site-to-site network, each branch is connected to the data center, and any branch to branch traffic flows through that central hub. With meshing, branches connect to each other directly without going through the hub.
This direct connectivity may be necessary for video conferencing and other bandwidth-intensive and delay sensitive applications, and MPLS VPNs are ideally suited for this use case.
The downside to MPLS VPNs has always been cost. Private IP services like MPLS are very expensive, particularly for international connections.
The Internet of Things consists of a broad range of devices, many of them sensors that are used in corporate networks, from monitoring and controlling building systems to gathering data about machines in manufacturing plants.
A common requirement is that these devices be able to communicate with the company network securely, and a remote-access VPN can be an ideal way to do that. Often this takes the form of an SSL VPN that can be configured to restrict access to everything except the services the IoT device needs to perform its functions.
Diminishing need for remote-access VPNs
As software as a service (SaaS) grows increasingly popular, the requirement for IT to provide remote access VPNs is diminishing. Applications and data are moving from company data centers to the cloud, and users can access those services directly via the browser, secured by passwords and TLS.
Having to VPN into the corporate network to access SaaS applications is less efficient than enabling end users at a branch office to connect directly with the cloud through SD-WAN technology.
SD-WANs provide the cost benefits of Internet based VPNs with the performance and agility of MPLS VPNs.
With an SD-WAN, organizations can replace at least some of their high-price MPLS circuits with more economical internet connections and use the optimization and multi-path capabilities of an SD-WAN to ensure performance stays high enough for each workload.
Also, because the control element of an SD-WAN has been decoupled from the underlying infrastructure, the network can be configured through a centralized portal. Making changes to an SD-WAN can often be done with just a few mouse clicks.
VPN technology has been around for decades, and SD-WAN should be thought of as the next major evolutionary step for the technology.
Zero Trust represents another approach. VPNs are part of a legacy security architecture based on the notion that remote workers and branch offices exist ‘outside’ the network and then gain access to the ‘inside’ of the network.
Zero Trust eliminates those distinctions and considers all end users to be untrusted until they can be authenticated. With ZTNA, VPNs are replaced with role-based authentication, strict access control and context-aware identity management and monitoring.
Copyright © 2022 IDG Communications, Inc.