Chris ScheelsMarch 27, 2020
EXPOSED: Poor VPN Performance Handcuffs Remote Workforce
There's a Better Approach to Remote Access
With the outbreak of COVID-19, a growing number of organizations have deployed work-from-home strategies. But a mass remote workforce presents a problem: The VPNs being used to access network systems simply can’t scale to meet the demand.
With the outbreak of COVID-19 in fever pitch, a growing number of organizations have told their employees to “shelter in place,” and have deployed ad hoc work-from-home strategies. This helps protect employees and stem the spread of the virus. But a mass remote workforce presents a fundamental problem: The VPNs being used to access an organization’s network systems simply can’t scale to meet the new demand.
Businesses have been using VPNs to allow their workers to connect to internal systems for decades. While this provides some measure of security (it’s better than nothing), they are neither designed for today’s security threats, nor were they intended to handle the large-scale remote traffic that comes with a mass work-from-home program and today’s bandwidth-hungry applications.
In the rush to get an entire employee base connected remotely in the face of the Coronavirus, many firms are finding this out the hard way. With hundreds or even thousands of people trying to connect to a network at the same time using VPNs, security and functionality flaws inherent to the dated technology are being exposed.
On March 13, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert stating: “As organizations use VPNs for telework (work from home initiatives), more vulnerabilities are being found and targeted by malicious cyber actors.”
For organizations still using them, VPNs are not reliable in terms of network security – and since they were never designed to handle a high volume of connection requests – VPNs are likely to face functionality issues.
There is ample evidence that users have been experiencing tremendous difficulty not only connecting to VPNs, but also keeping those connections from dropping off. Even if remote workers get the VPN to do those two things, then the connection tends to be extremely slow, resulting in a loss of productivity.
For IT administrators, this results in a giant influx of Support tickets for a sizeable workforce that’s unable to do their jobs.
Despite the worldwide health emergency that shows little sign of slowing down, the pace of business needs to continue. Work-from-home initiatives need to function if organizations are to remain productive and successful.
If the principal remote access technology behind your work-from-home initiative is built around an archaic, 23-year-old open port, low throughput, dated-technology VPN, then you should consider the following:
1. The only way VPNs scale is with more infrastructure. The legacy technology was designed to handle only a small percentage of remote workers. The backend infrastructure (firewalls or VPN concentrators) that allow users to connect, are costly and built with little-to-no concept of scalability in mind. So when organizations deploy an emergency mass work-from-home initiative, upwards of 80, 90 or even 100 percent of all employees will be working remotely. The only way VPNs can handle the extra capacity is with the introduction of more hardware.
2. VPN connectivity is temperamental. Most VPNs require the user to connect and authenticate directly to a shared VPN ingress point. When faced with high utilization, it is very hard to establish new connections. If the VPN is overwhelmed, they can seize up and crash, as if it were facing a Distributed Denial of Service (DDoS) attack.
3. Maintaining a VPN connection is not easy. VPNs usually require the connection to be stable – without it the TCP session is lost, and the connection is severed. Users are then required to reconnect and re-authenticate. With regional internet providers dealing with massive increases in traffic – with family members streaming videos to pass the day – this stable connection is further exacerbated.
4. Brutally slow connections. Most VPN appliances have internal scaling limitations because of their centralized architecture and limits on the number of appliances that can be clustered. So when there is a drastic increase in usage with the recent large work-from-home initiatives, even if remote users can successfully make and maintain a connection, that connection is likely to be extremely slow.
Fortunately, there is a better way of allowing a remote workforce to securely connect to an organization’s network at scale, and that avoids VPNs altogether.
The Software-Defined Perimeter (SDP) from Appgate is a security framework designed to micro-segment network and application access. Appgate’s SDP dynamically creates secure one-to-one connections to multiple locations simultaneously between the user and the resources they are authorized to access.
What enables Appgate SDP to scale and perform so much better than VPNs?
- It separates the control channel from the data channel to reduce load
- It doesn’t have one centralized firewall engine, it runs thousands of individual micro-firewalls
- It can dynamically scale linearly to handle very large numbers of concurrent users
- It was designed from the ground up to be massively decentralized
Appgate’s SDP also ensures that endpoints attempting to access a resource are first authenticated and authorized – and it does this at scale. Only the resources the user needs is made available to them; all unauthorized network resources are made inaccessible.
This not only applies the principle of least privilege to the network, it also dramatically reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.