The COVID-19 outbreak caught many organizations by surprise. In a matter of weeks, companies went from “business as usual” to, with a few “essential” exceptions, being forced to either close or allow telework in order to slow the spread of the pandemic. While some organizations had a telework policy in place, this was not true for all of them. Supporting a mostly or wholly remote workforce required these organizations to provide employees with the ability to connect securely to the corporate network from their residences.
In many cases, organizations addressed this need by deploying virtual private networks (VPNs). However, the computational requirements of decrypting VPN traffic are extremely high. The need to scale operations to support thousands of remote employees means that many businesses should give serious consideration to VPN alternatives.
Impacts Of The COVID-19 Outbreak
Being forced to transition large numbers of employees to remote work forced several changes in how these organizations performed daily operations. One of these changes was a shift from in-person meetings to using online collaboration platforms, such as Zoom, Microsoft Teams, WebEx, and GoToMeeting. While many organizations adapt rapidly to this need for online collaboration, it created significant strain on the video conferencing platforms and, especially in the case of Zoom, resulted in security and privacy concerns.
The other major impact of the shift to a remote workforce was additional strain on an organization’s existing VPN capabilities. In the past, inbound VPN connections to an organization’s network would have been largely non-existent (if no work from home policy was in place) or were used by a maximum of about 20% of the workforce at any one time. During the COVID-19 pandemic, 80% or more of the organization’s workforce could be expected to be using the VPN at any time during business hours.
Limitations Of VPN Scalability
This sudden increase in VPN usage creates significant challenges for the organization’s infrastructure on the corporate network. By design, VPNs are a point-to-point connection. The purpose of the VPN software on the client and server devices is to create an encrypted tunnel that carries the traffic between the two endpoints. This ensures the confidentiality of the information in transit and provides the user with the same experience as if they were directly connected to the corporate network.
The problem with this point-to-point model is that it does not scale well. Each new user connected to the corporate network via a VPN requires its own VPN connection. This is another connection that the organization’s VPN aggregator must maintain and perform decryption of outbound traffic and encryption of inbound traffic.
However, the additional workload associated with an increase in VPN connections is not limited to the VPN aggregator on the enterprise network. Under normal operations, when employees are directly connected to the enterprise network, a high percentage of traffic is internal to the corporate network.
This includes accessing network file shares, databases, etc. All of this traffic that is internal to the network never passes through the network perimeter and is not scanned by the perimeter firewall.
The same cannot be said of the same traffic when routed over a VPN. All of an employee’s business traffic, whether intended for internal systems, cloud deployments, or the public Internet, is routed over their VPN connection. This means that the VPN aggregator must process all this traffic and that the network firewall should inspect it for potentially malicious content. As a result, the load on an organization’s perimeter defenses is much higher.
SD-WAN As A VPN Alternative
VPN connectivity is an unscalable solution to organizations’ need to provide secure connectivity between remote workers and the enterprise network. Software-defined wide area networking (SD-WAN) provides a more scalable alternative to VPNs, enabling organizations to implement effective business continuity plans in the face of unforeseen circumstances, such as the COVID-19 outbreak.
SD-WAN is designed to move security to the network edge by deploying SD-WAN appliances, with integrated security features such as next-generation firewalls (NGFWs) and secure web gateways (SWGs), at the network edge. Users connect directly via these appliances, which perform security scanning and optimized routing.
This reduces load on the corporate infrastructure by routing Internet-bound traffic directly to its destination, rather than sending it to the corporate network for inspection. As business use of cloud-based services increases, this dramatically decreases load on an organization’s perimeter defenses.
Deploying SD-WAN appliances in the cloud provides additional benefits for network performance and scalability. While physical SD-WAN appliances may be limited to an organization’s geographic footprint, cloud-based SD-WAN can leverage the existing geographic distribution of cloud services.
This distribution can decrease network latency for SD-WAN users by allowing them to connect directly to a nearby SD-WAN point of presence (PoP). After inspection, their traffic can be routed over dedicated, Tier-1 links to its destination. In the case of cloud-bound traffic, this dramatically decreases latency since traffic no longer needs to be routed through the corporate network for inspection before being forwarded to its destination.
Achieving Secure, Scalable Connectivity With SD-WAN
Incidents like the COVID-19 pandemic underscore the importance of a business implementing a business continuity plan that addresses the possibility of supporting a mostly or wholly remote workforce. As many organizations have discovered, VPN is not a very scalable solution for this problem. SD-WAN provides a secure and much more scalable alternative to the corporate VPN for teleworkers.