Behind the buzzword – Episode 1: “is the VPN dead?”

I’ve often been hearing people talking about the VPN over recent months. Some view it as being on its deathbed; for others, it is ready for retirement, but it is rarely presented as a technology of the future. Its hour of glory seems to have come and gone, supplanted by new buzzwords such as “ZTN” and “SASE”. But is the VPN really dead?

 First, let’s reacquaint ourselves with the facts. The term “VPN” covers a plethora of variants: extended LAN, point-to-point, mobile, etc. Even security levels can vary from… nothing (no encryption or authentication, such as in the case of GRE tunnels) through to almost everything (for example, IPSec). This post will focus on the IPSec version of VPN because of its central importance in many companies and organisations today. So the first question can be reformulated as follows: “Is IPSec VPN dead as a means of accessing corporate networks for roaming users or providing inter-company connections?.” By extension, and because of the way it is used, the question could also include the SSL version in tunnel mode, which is similar to IPSec VPN in many ways.

Yesterday: Grandpa’s VPN

Before rushing to report the death of IPSec VPN, we should bear in mind that it has been a ubiquitous feature of our IT architectures for at least the past 20 years. It enables remote users to “project” themselves into the company LAN, granting them access to business applications, the intranet and the administration of IT resources in a way that is theoretically secure.

Fig.1: a layman’s theoretical diagram of a VPN

However, it is clear that today’s architectures no longer really look like this. Why not? Because of the de-perimeterisation of the IS, the growth in mobile computing and the geographical explosion of applications. These applications can now be accessed via AWS, Azure, a private Cloud or directly from publishers such as Microsoft and Salesforce. Everywhere, in fact… except on the LAN, it seems.

This means that employees who are now working remotely (“The impact of COVID-19 on the fragmentation of corporate security” will be a forthcoming topic that I don’t propose to cover here) have access to the company’s applications without needing to go via the LAN. This brings us back to the basic requirement of IT: to enable users to access their applications... ideally in complete security.

In diagram form, that now gives us something like this:

Fig.2: theoretical diagram of a modern infrastructure

A diagram in which the traditional use of the VPN – to convey user flows to the company’s LAN – finds itself at a disadvantage.

This paves the way for the concept of the “Zero Trust Network” (ZTN), promising an effective solution for addressing the developments mentioned above: trust no user, even if they are on the internal network… and identify, authenticate and control computers and users whenever applications and data are accessed.

This brings us back to IPSec VPN’s detractors. “So what’s the use of this IPSec?”. And they certainly seem to have a point, especially given that it does not address all of the expected security issues: although IPSec VPN ensures the confidentiality of data in transit and mutually authenticates machines and users, at no point does it guarantee that a machine is “clean”. Nor does it perform overall identity and access management.

And yet…

Maybe IPSec VPN still has a use?

Let’s take a step back to examine this observation about “all Cloud” and the redundancy of the VPN. Talk of the pointlessness of accessing the LAN via VPN is meaningful for digitally mature, tech-savvy companies. However, such companies are rarer than you might think.

And many companies have historically developed business applications that are incompatible with the Cloud. For example, how many still use the AS/400? How many refuse to allow teleworking because of their business activity, or through management dogma? How many manage sensitive data unsuited to migration to SaaS/IaaS? And how many require physical infrastructure for the operation of their plants and research centres, or their interactions with end customers? In sensitive environments, it is legally compulsory to use technologies whose implementations have been assessed for robustness (because of the cost of qualification for encryption technologies). For all these environments, which are not Cloud compatible and can be accessed only via the LAN, IPSec VPN remains the most efficient and secure way of connecting to IT resources. To illustrate this point, a 2020 IDC/Stormshield survey reports that 50% of Western European business data is still “On-Premise”, with an even higher figure of 75% for Eastern Europe, led by Hungary and Poland, which continue to be very resistant to the Cloud. This proves that it isn’t all Cloud out there.

In the same vein, it should be remembered that fully remote working practices have not yet become ingrained in European habits. A McKinsey & Company study shows that a mere 19% of companies are planning to offer more than 3 days’ teleworking per week.

The idea may be catching on, yet employees remain attached to the idea of physical presence in the office. This makes the transformation towards “all remote” look less clear, and not something to be implemented by force. IPSec VPN remains a simple, efficient and inexpensive way of connecting employees to their office for a few days a week. This has been demonstrated by the COVID-19 crisis, with most companies switching to teleworking by buying laptop PCs for their users, accompanied by a quickly-implemented IPSec tunnel. Some statistics show an explosion in the use of VPN technologies in March 2020, with 160% growth in Italy, 58% in Spain and 44% in France.

Lastly, IPSec VPN may still be of use to some more expert users for its ability to provide a fiendishly effective way of staying anonymous on the Internet. To prove this point, consider the widespread use of anonymisation platforms such as: NordVPN, ExpressVPN, CyberGhost, etc. At a time when debates over France’s Security Law rage, it is likely that anonymisation issues will increasingly come to the fore and that VPN technology will be one of a number of responses – not just at individual level, but even for international administrations and companies wishing to ensure that all data flows are transited via geographical areas that are deemed to be safe.

Could IPSec VPN even be a technology of the future?

Predicting the death of the VPN is clearly a risky business. Although it may not seem to address the new issues relating to the “cloudification” of applications, it continues to be very widely used in IT infrastructures. I say “seem” because it may be unwise for us to be too hasty in burying a very efficient, reliable and secure technology. It is important to make a distinction here between the protocol itself and its implementation in a range of products of sometimes dubious quality (a nod to solutions from Juniper, Citrix and Zyxel).

Similarly, it makes no sense to claim that ZTN will render the VPN obsolete: it is meaningless to pit a concept against a technology. Looking more closely, we could even go so far as to suggest that the VPN will play a role in the advent of the ZTN. Realistically speaking, a technology that mutually authenticates and protects data in transit is required for the ZTN – and the IPSec VPN meets such requirements. Ultimately, it even seems possible that the trusted networks of the future will be complex, autonomous networks of applications and clients interconnected via VPNs. A sort of “full mesh” network in which authorisation to establish communications will be delivered via security policy, and communication provided via IPSec. Which could look something like this diagram:

 Fig.3: illustration of full-mesh VPN

No, the VPN is not dead

Far from it, in fact. It is currently at the peak of its use, and could conceivably continue to see use for another ten years to come. In addition, it has been shown that it could be a simple, robust platform forming the basis of reliable, secure agile networks, thus ushering in new concepts for secure interconnections. It will always be an effective weapon in the arsenal of current and future cybersecurity tools.

However, it may be time to start mourning the passing of the “trusted” LAN. But that’s a story for another day.