Understanding Virtual Private Networks [and why VPNs are important to SD-WAN]
Internet-based virtual private networks rose to popularity in the 1990s by providing cost-effective connections securely across an insecure internet, and along the way VPNs have provided the impetus for today’s SD-WAN technology.
The definition of a virtual private network (VPN) is creating a secure network over network transport that is less secure, such as the internet.
VPNs are used to connect two or more nodes in a network and are most commonly used to connect individual users’ machines to sites or to connect sites to sites. It’s possible to connect users to each other, but the use case for that is very limited so such deployments are rare.
A possible use case is to connect things to a network, and while this is uncommon today, there will likely be an uptick in device-to-network VPNs as the Internet of Things (IoT) grows.
Remote access VPNs
Remote-access VPNs are the most common type and allow users to access company resources even when they are not directly connected to the corporate network. Remote access VPNs are typically temporary connections and are shut off when users have completed whatever task they were working on.
To ensure privacy, a secure tunnel is established between the user’s endpoint such as a laptop, mobile device or home computer. Establishing calls for some sort of authentication – passwords, tokens, biometric identification.
Sometimes usernames and passwords are embedded in VPN software located on the user’s endpoint to make connecting easy for the user, but there’s always some form of authentication.
Benefits of remote-access VPNs
The upside of using remote-access VPNs is that workers can connect to any company resource regardless of where they are and without a dedicated physical circuit.
This reduces costs but also enables connectivity where it wasn’t possible before.
Remote-access VPN example
A partner at a law firm may wish to access client files stored on a shared server remotely. It’s possible the company could connect the partner’s home to the company network using a dedicated private line but that could be very expensive.
In this case, a VPN would be an excellent alternative as it enables the lawyer to connect virtually over his home internet service.
If the partner is travelling to a conference in a different city, there would be no feasible way to connect the attorney over a private connection, so a VPN over a temporary internet service would enable reaching the shared server, making it a critical business tool for the law firm.
Remote-access VPN challenges
The downside of remote access via VPN is that performance can vary greatly depending on a number of factors. These include the internet service being used, the encryption method and the endpoint the user is connecting from.
For example, a worker connecting via fiber to the home is likely to have significantly better performance than when establishing a VPN session from a hotel over shared Wi-Fi.
Unfortunately for workers, little can be done to improve performance as these issues are often well beyond the control of the company’s IT department.
Any corporate service can be accessed via a remote-access VPN, and most will run just find but applications that consume large amounts of bandwidth, such as video, or have low-latency requirements, like voice over IP (VoIP), may perform very erratically.
IPSec vs. SSL VPNs
Remote-access VPNs most commonly use IPSec or secure socket layer (SSL) to securely tunnel users to company networks with one significant distinction between the two. IPSec VPNs allow workers to access all company resources as if they were in the office. So all shared drives, applications and other assets are visible.
SSL VPNs typically provide connectivity to a single application, rather than the entire internal network. SSL VPNs have become increasingly popular because the SSL protocol requires fewer compute resources and gives IT more control over what remote users can or cannot see. Limiting access to a specific set of applications can protect the organization in the event the user’s device is breached.
SSL VPNs and IoT
The internet of things consists of a broad range of devices, many of them sensors that are used in corporate networks, from monitoring and controlling building systems to gathering data about machines in manufacturing plants.
A common demand is that these devices be able to communicate with the company network, and SSL VPNs would be an ideal way to do that. They could be configured to restrict access to everything except the services the IoT device needs to perform its functions.
Diminishing need for remote-access VPNs
As software as a service (SaaS) grows increasingly popular, the requirement for IT to provide remote access VPNs diminishes. Applications and data are moving from company data centers to the cloud, and users can access the services directly. Having to VPN to and then through the company network can degrade the experience.
Site-to-site VPNs connect locations, typically branch offices, to the company network. With site-to-site VPNs, the connections are established and terminated on a networking device, most commonly a router, firewall or dedicated VPN appliance, but not on end-user devices such as laptops and desktops.
One reason to implement site-to-site VPNs is similar to the reason network professionals implement remote access VPNs: it’s too expensive or impractical to connect the site with a dedicated leased line.
Site-to-site VPN example
Consider a US-based consulting firm that decides to open a remote office in Japan with three people in it that need to access a shared file server, e-mail and other company resources. In this case, the network demands aren’t overly high, so a dedicated connection does not make sense.
The company can purchase a local internet connection and create an internet-based VPN that connects the two locations, saving literally thousands of dollars per month.
However, Internet based VPNs are complex to set up and lack agility. Making changes to internet VPNs can be very challenging in medium-to-large networks. Also, because Internet connections are being used, application performance can be erratic depending on network congestion and other factors.
Site-to-site MPLS VPNs
Another type of site-to-site VPN is connecting to a carrier-provided MPLS cloud instead of the public internet, offloading establishment of the VPN connections to the provider. The service provider creates virtual connections between sites across its MPLS network.
The primary advantages of this type of VPN are network agility and the ability to mesh the network. In a typical site-to-site network, each branch is connected to the data center, and any branch to branch traffic flows through that central hub. With meshing, branches connect to each other directly without going through the hub.
This direct connectivity may be necessary for video conferencing and other bandwidth-intensive and delay sensitive applications, and MPLS VPNs are ideally suited for this use case.
The negative to MPLS VPNs has always been cost. Private IP services, like MPLS are very expensive, particularly for international connections.
VPNs and SD-WANs
SD-WANs have been red hot of late with network professionals because they provide the cost benefits of Internet based VPNs with the performance and agility of MPLS VPNs.
With an SD-WAN, organizations can replace at least some of their high-price MPLS circuits with more economical internet connections and use the optimization and multi-path capabilities of an SD-WAN to ensure performance stays high enough for each workload.
Also, because the control element of an SD-WAN has been decoupled from the underlying infrastructure, the network can be configured through a centralized portal. Making changes to an SD-WAN can often be done with just a few mouse clicks.
VPN technology has been around for decades and SD-WAN should be thought of as the next major evolutionary step for the technology.