Putting tech to the test: Why VPNs no longer cut it in the cloud-native era

VPNs don’t meet any of today’s modern infrastructure and application requirements, says Galeal Zino, CEO at NetFoundry

The requirements for high performance, secure connectivity are at an all-time high as enterprises embrace the cloud to develop and deploy modern applications.

Within this new cloud-native world, traditional Virtual Private Networks (VPNs) are still being relied upon. However, from a security perspective, the perimeter-based security provided by VPNs fails to make the grade, as it does not take into account user context and modern security threats. In addition, VPNs cannot protect corporate assets from possible insider threats. Employees who wish to harm the company can gain full access to a network under a VPN scheme.

The performance and security challenges of traditional VPNs are recognised and well documented. A recent study conducted by Futuriom found that of 75 percent of users are looking for new networking solutions. 64 percent said their current solution was underperforming and 48 percent said the same solution gave them security concerns.

VPNs implementations such as PPTP, OpenVPN and L2TP, are still used for corporate extranets, business-to-business (B2B) and connected supply chains. VPNs, a part of the hardware age of networking as Ethernet replaced ATM, and had their heyday in 1998 as the only secure way to do transactions across the widening Internet and spiralling extranets.

However, today, VPNs fail at almost all modern IT needs like connectivity performance, cloud networking complexity, IoT network awareness, cloud application availability, and security. There is no VPN that can offer any direct application support, they can only deliver 1-1 connectivity support secured by encryption, not the multi-edge to multi-application-specific cloud overlay needed for today’s application environment.

The bottom line is that VPNs don’t meet any of today’s modern infrastructure and application requirements. They were designed for the 1990’s networking environment and not for today’s distributed and dynamic cloud-based applications.

IPSEC and SSL

Due to changing needs over the last twenty years, different flavours of VPN have evolved, including IPSEC and SSL for connecting remote devices.

IPSEC VPNs Tunnels, known as conventional VPN technology, represent the security challenge facing the IT industry. IPSEC is not specific at all to any device or application, it merely means a user has used a password and encrypted tunnel to virtually plug into the physical resources of a network switch.

A fit analogy for an IPSEC tunnel is being inside somebody’s home. The front door is open, and suddenly all the rooms inside the house become yours to discover. This may be appropriate for a remote office, but it isn’t appropriate for applications spanning multi-cloud and IoT. Applications generally only require specific access to resources, not holistic access to the resources’ network.

SSL VPNs are different. They do not require any software installation on remote devices because SSL uses a web browser and SSL connection to establish a secure connection. Users can be given more specific and secure access based on hierarchies and policies.

SD-WAN only solve one small part of the problem

Flash forward to 2015, and SD-WAN emerged as a technology with the promise to keep device-based VPNs alive and kicking, by providing a software-defined central controller for managing VPNs in a more automated and scalable fashion.

However, although they can effectively manage VPN controllers and optimise paths from branch offices for network performance, SD-WANs still fall short of today’s needs.  They do not provide end-to-end security that modern applications and users require, nor can they enable the dynamic installation of an on-demand network to manage applications or connect and manage IoT devices, or support similar services across any cloud or distributed environment. SD-WANs are quite simply too limited in scope.

Better answers have arrived, thanks to application-specific networks, or AppWANs. The AppWAN is a unique private network session established from a client directly, and only, to the IP-PORT-PROTOCOL of the destination service/application. No two clients use the same carrier tunnel even from the same physical location. Each client to application “WAN” is unique.

AppWANs enable DevOps teams to think differently and bring centralised, customised levels of security to any device, any users and most importantly, any application. They deliver a fabric overlay across many to many application connections, while utilising multi-layered security and standards-based encryption.

They thus help eliminate the expense and structural problem of managing SD-WAN type/ hardware-based VPNs. The AppWAN approach is more flexible, more secure and supports all cloud and IoT applications, based on whatever policies and rules cloud administers choose to configure. Instead of access to the network, AppWANs deliver encryption and Zero Trust security directly to the application via the cloud.

Performance

AppWans also offer a number of performance benefits. AppWANs do not need to corral Internet and application traffic through any hairpin style turns nor single bottleneck (physical traffic concentration point). Instead, AppWANs choose the best-routed path just like the majority of ‘fastest path’ BGP-routed Internet traffic. As a result, delays and high latency are eradicated via direct paths to software resources.

Programmability is also key. AppWANs let application architects create the network inside the applications to give it all of the customised support required before it ever is downloaded by a user. Applications using common APIs are DevOps friendly and give far greater benefits to Enterprise IT than VPNs could ever achieve.

• Image Credits: kjpargeter – www.freepik.com