Eyal Webber Zvik, Cato Networks
09.01.2023
image 4 Min read

Secure remote access is a common need for the modern enterprise. While employees almost exclusively worked from the office in the past, this has changed in recent years. The pandemic and the globalization of the workforce means that organizations may have users connecting and working from all over the world, and these remote users need secure remote access to corporate networks and other resources.

Historically, virtual private networks (VPNs) were the only available solution, and this familiarity has driven many organizations to expand their existing VPN infrastructure as the need for secure remote access has grown. However, VPNs are network solutions that were designed for corporate networks and security models that no longer exist, and cannot provide secure, high-performance network access to a workforce that requires a more modern remote access solution.

Let’s take a closer look at how remote access VPNs fall short:

1. Lack of built-in security/access management

VPNs are designed to provide secure remote access to corporate networks or IT resources. This includes creating an encrypted tunnel between two endpoints — such as a remote employee’s computer and a VPN server on the corporate network — for business traffic to travel over.

While VPNs can protect against eavesdroppers, that’s about all that they can do. They include no built-in access management or security controls beyond requiring a username and password at logon. Protecting the corporate network against any threats that come over the VPN connection — such as those from an infected computer or a compromised user account — or implementing a zero-trust security policy requires additional security solutions deployed behind the VPN endpoint.

2. Geographic constraints

VPNs are designed to connect two points with an encrypted tunnel that network traffic can flow over. Securing corporate network traffic along its entire route requires VPN connections along each leg of that route. Corporate IT environments are becoming more distributed with the growth of cloud computing, remote sites, Internet of Things (IoT) devices, and business use of mobile devices. Securing access to all of the corporate WAN often creates tradeoffs between network performance and security.

VPNs’ lack of built-in security means that security solutions must be deployed behind each VPN server, making it more difficult to directly link every potential traffic source and destination. Instead, many organizations backhaul traffic to the headquarters network for inspection, degrading performance and increasing latency.

3. Inefficient routing

The point-to-point nature of VPN connections means that a VPN connection can only provide secure access to a single location. For example, a user may be able to connect directly and securely to the corporate WAN.

However, corporate networks are increasingly distributed with infrastructure in on-prem data centers and scattered across multi-cloud environments. As a result, VPNs either force users to have VPNs configured for multiple different locations or to accept inefficient network routing that passes through a single VPN terminus en route to their intended destination.

4. Excessive trust in endpoint security

The goal of a VPN is to protect remote users’ network traffic from being intercepted or eavesdropped upon en route to its destination. VPNs don’t inspect the traffic that they carry or perform any access control beyond basic user authentication. As a result, VPNs are overly trusting in the security of the endpoints that they connect.

Some of the threats that VPNs provide no protection against include:

  • Infected Devices: If a remote employee’s device is compromised with malware, the malware can send traffic over the device’s VPN connection as well. This could allow an attacker to bypass security restrictions and gain access to corporate networks.
  • BYOD Devices: The rise of remote work has resulted in increased use of personally owned devices for business purposes. These devices can connect to corporate IT assets via VPNs and may be infected with malware or non-compliant with corporate security policies.
  • Compromised Accounts: VPNs only implement access control in the form of user authentication when setting up a VPN session. If an attacker has compromised a user’s authentication credentials (password, etc.), they can log in as that user and connect to corporate IT assets.

VPNs only secure the connection over which two endpoints are communicating. They’re overly trusting of the endpoints involved in the communication, which can result in malware infections or other threats to corporate assets.

Building Secure Remote Access for the Modern Enterprise

VPNs have significant limitations in terms of their performance, usability, and security. While these issues may have been manageable in the past, rapidly evolving corporate networks make them an increasingly unsuitable solution for secure remote access. Relying on legacy remote access VPNs forces companies to make choices between network performance and security.

Organizations looking to modernize their IT infrastructure to better support remote and hybrid work schedules need to replace their VPNs. Secure Access Service Edge (SASE) provides the capabilities that they need, eliminating the limitations of VPNs and providing numerous additional benefits.

With SASE, companies can move security to the network edge, enabling network optimization without sacrificing security. To learn more about how a cutting-edge SASE solution can enhance an organization’s remote access infrastructure, sign up for a free demo.

Learn More

You’ll Need Zero Trust, But You Won’t Get It with a VPN
SD-WAN and SASE
Eyal Webber Zvik, Cato Networks 12.01.23

Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy. Zero Trust Security is […]

Read more
SASE vs. SD-WAN: A Quick Guide
SD-WAN and SASE
Miguel Fersen, Iberia & LATAM Regional Manager @ GlobalDots 09.05.22

New technologies have a wicked tendency to pile up. With cloud solution categories now emerging on a weekly basis, the result of bringing them into your estate is usually more complexity and confusion. But sometimes, a single new technology allows us to rid a bunch of old ones in a snap. SASE pretends to be […]

Read more
slider item
SD-WAN and SASE
Gershon Tchemakin, Solutions Engineer @ GlobalDots 08.11.21

Pronounced ‘sassy’, SASE (Secure Access Service Edge), is a terminology first proposed by Gartner. While there are many definitions of SASE, it can be simply said to be a network architecture that combines the capabilities of SD-WAN with network security functions and delivers it as a service delivered via the cloud. What is SASE used […]

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Book a Demo