Virtual private networks (VPNs) are a common solution for securing connectivity between remote workers or sites and the main enterprise network. VPNs provide point-to-point secure connectivity by encrypting all traffic between a VPN client and an endpoint on the target network.
However, as the demand for this secure connectivity grows, as telework becomes more popular and accepted, the fact that they do not scale well becomes increasingly apparent. And as the need for secure remote connectivity grows, organizations should start to consider alternative options, such as SD-WAN solutions to secure their remote workforces without sacrificing network performance or employee productivity.
VPNs are an Unscalable Security Solution
VPNs are the most widely accepted and used solution for securing network connectivity of remote workers. However, most organizations’ VPN infrastructure is designed to support a fraction of their workforce at any given time. As demand for VPN connectivity grows, in response to COVID-19 or the general evolution of the modern business, many organizations have found their VPN infrastructure incapable of meeting demand. This is because VPN infrastructure, by design, is not a scalable solution for a few different reasons.
#1. Point-to-Point Connectivity
VPNs are designed to be a point-to-point connection security solution. A VPN client establishes an encrypted channel with a VPN endpoint on the enterprise network, enabling secure communication between these two points.
For organizations supporting remote work, this requirement for point-to-point connectivity means that teleworkers are connected to a single VPN endpoint on the enterprise network. From there, traffic undergoes security scanning and is then routed to its destination.
The reliance on one or more VPN endpoints within the enterprise network to process all teleworkers’ traffic means that the VPN solution scales very poorly. If demand for VPN resources exceeds the design capacity of these endpoints, network performance and throughput is degraded, and connections may be dropped or denied.
#2. Connection Limits
One of the impacts of reliance upon a set of VPN endpoints to manage all inbound VPN connections is that these endpoints have set connection limits. Any network appliance has a maximum number of simultaneous connections that it can support. If this maximum limit is reached, then no additional connection requests can be processed until resources are freed up.
These connection thresholds limit the scalability of an organization’s VPN infrastructure. In general, organizations design their VPN infrastructure to support a small percentage of their workforce (often less than 30%) at any given time. Increasing this maximum capacity requires investment in new VPN appliances, limiting solution scalability.
#3. Traffic Encryption and Decryption
VPN scalability is also limited by its reliance upon computationally intensive operations. The encryption and decryption operations necessary to support a secure tunnel between the VPN client and endpoint consume a great deal of computational resources.
Since these operations must be performed on the VPN endpoint, they can limit the number of connections that it can handle even more than the device’s connection limits. If VPN users perform operations that consume a large amount of bandwidth, such as uploads or downloads of large files, the endpoint must decrypt or encrypt all of this data. As a result, the performance of the VPN and its ability to serve the needs of other users is dramatically decreased.
#4. Seat-Based Licensing
Beyond the physical limitations of the VPN appliance, VPN manufacturers often impose artificial limits on the number of users that a VPN appliance can support. Many VPN solutions use seat-based licensing models.
Under these models, the organization purchases a set number of VPN “seats” or users that it can support. If the demand for VPN connectivity exceeds the number of purchased seats, additional connections will not be permitted even if the appliance is physically capable of supporting them.
#5. Network Bandwidth
VPN solutions can be a good solution for supporting remote workers if the teleworker is attempting to access resources located within the organization’s network perimeter. Under these circumstances, the teleworker’s network traffic only traverses the network perimeter once.
However, organizations are increasingly reliant upon cloud-based solutions for core business activities. Any traffic entering via a VPN connection but bound for an external location traverse the organization’s network perimeter and Internet connection twice. This amplifies the impact of bottlenecks within the organization’s network infrastructure.
Solving VPN Scalability Issues with SD-WAN
The design of VPNs make them an ill-suited solution for securing remote workers. As support for remote work grows in the wake of COVID-19, the scalability limitations of VPN infrastructure mean that organizations struggle to balance teleworker productivity and security. In order to support a growing remote workforce, organizations should consider more scalable alternatives to VPNs, such as SD-WAN.
SD-WAN is designed to improve network performance by moving routing functionality to the network edge. By optimally directing traffic over multiple transport media, SD-WAN provides improved network performance and reliability. Secure SD-WAN solutions integrate security and networking functionality, providing the same benefits as VPNs without the scalability and performance issues caused by centralizing security on the enterprise network.
Secure access service edge (SASE) is the next step in the evolution of SD-WAN and network security. By moving secure SD-WAN to the cloud, SASE places networking and security functionality close to its users and cloud-based traffic destinations. This enables an organization to maintain full visibility and security scanning for business traffic while decreasing the associated performance impacts and providing a much greater level of scalability than a VPN-based solution.