The demise of excess access: A eulogy for traditional VPN

Once upon a time, in a world where mobile meant “laptop” or “remote home PC”, Corporate network connectivity came in two flavours: dial-up modem, with it’s clunky protocols and achingly slow speeds, and 2)Corporate VPN client over the internet.

Internet VPN seemed like a godsend in comparison to dial-up. Basically its purpose was to provide a secure network connection between your remote PC/Laptop (the entire device) and your corporate network. Whether old-school IPSec or the more recent SSL encapulation, the transport was secured. Username/password, and optionally a One Time password or Security Token would be used to provide Two Factor Authentication (2fa).

It seems secure, right?  I mean, authentication and transport security are covered, what else is there?

Dynamic Access Policies were then created to define a set of rules, similar to firewall rules, that describe what applications (port/protocol) on the remote users PC could talk to what servers/services in the data centre.

In general, this worked fine if there were less than a hundred employees in the company, you had no third party users, no application was ever upgraded, and nobody changed roles.

In practice, policies are defined loosely to allow for convenience rather than security. Realistically, large numbers of PCs have unfettered access to the corporate network, as if they were sitting at their desk (I’ll get into that issue in a future blog).

Well then we started worrying about viruses, worms, trojans …  basically malware residing on the remote PC. What stops them from propagating into the corporate network? How do we know the end user has applied all the appropriate patches, and is running the most current anti-malware (and that its signatures are up to date)?
Network Access Control was added to the VPN client to assess the endpoint (laptop or PC) and determine its “security posture” based on patch status and running anti-malware applications.

But this wasn’t enough to satisfy the audit or risk departments, so you had to install intrusion prevention appliances and network anti-malware inside the network to remediate anything that was missed on the endpoint, and, we still have all those remote endpoints, with pretty much open access to our entire corporate network…

As a result of the explosion of tablets and smart phones, alternate solutions arose for many of the very services we require daily as part of our VPN dependency.  An entire industry arose to service “Bring Your Own Device”. Tablets and smart phones are managed through various means, but typically now applications running on those devices are segregated or “sandboxed” from one another to reduce the risk of eavesdropping and data capture.

Today, there is absolutely no reason to use VPN for your corporate email service. All enterprise grade email clients utilize strong local authentication, integrate with industry standard single sign on, and use strong transport encryption.  Whether you are an Exchange/Outlook or Domino/Notes user, for this use case, VPN is merely a hindrance to productivity, and a complexity that costs your company both in capex and opex.

Similarly, there is absolutely no reason to use VPN for your corporate VOIP or Instant messaging.  These services also integrate cleanly into enterprise single sign on, and provide for secured, encrypted transport.

If you need, and I stress need, a corporate desktop, there are many highly secure non-VPN solutions available, such as Microsoft’s Remote Desktop Gateway,  Citrix Access Gateway, or VDI via VMWare’s Horizon View.   Some Legacy applications may still require this model for a few years to come.

Are you using cloud services through VPN? If you are using VPN to get to your corporate cloud applications like SalesForce, SAP, Concur,ServiceNow, Microsoft Office 365, or Taleo, you are simply adding an extra network loop to an already secured connection. These services already use Enterprise Single Sign On, and provide for secured, encrypted transport.

Containerization technologies like Bromium will transform application development for the laptop environment, and allow laptops to join the realm of managed devices in a mobile device strategy.  Soon your enterprise mobile application management suite will package and manage apps for Windows and OSX as well as iOS, Blackberry and Android.

Write Once, Run Anywhere has been a mantra used by vendors such as Oracle for well over a decade.  It is finally approaching a maturity level that will see it in action everywhere.  Most large applications today are being developed using frameworks that abstract the presentation layer, and allow the designers to write various “front ends” specific to the device, while the rest of the application is identical across platforms.

So aren’t you just replacing one remote access solution with several niche appliances?

In a quick answer, sort of. Service specific appliances, such as SIP gateways provide a much more robust and secure means on managing this specific traffic, and many companies already have them in place for internal branch to branch connectivity.

I’m not suggesting that the future of remote connectivity is free and unfettered access to your corporate network.  Quite the opposite in fact.  I’m suggesting that two-thirds of what employees access today via traditional VPN, already has  better and more secure means of connectivity through their native infrastructure, and that the remaining one third is on track to be replaced with  technologies that will allow the remote applications to be secured on any device from phone to tablet to laptop.

In today’s world of high profile data breaches, zero day attacks, and  significant operating system vulnerabilities, we cannot allow the excess access that traditional VPN affords.

References:

WindowsSecurity.com: Death of VPN

VPN Clients are Dead in the Cloud

The Evolution …. and Death of the VPN

The Death of the VPN

 

Microsoft Technet: Overview of Remote Desktop Gateway

App Wrapping is A Form of Containerization

Forrester: Containerization Vs. App Wrapping – The Tale Of The Tape

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Michael Ball
Michael Ballhttp://security-musings.blogspot.ca/
Over 25 years in IT, from hardware engineer through software developer and Network Administrator. From Security Architect to CISO at a prominent Canadian Insurance Company. I've managed very large teams, I've managed very small teams.. I've stood alone. But year after year, there's always been something great around the corner to keep me on my game. Specialties: Identity and Access Management Infrastructure and processes, Risk Management, Network Security Architecture.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight