Why VPNs Suck

Ashur Kanoon:

Hi, everyone. This is Ashur Kanoon, vice president of technical marketing at Banyan Security. And today we’re gonna look at some of the shortcomings of VPN. All right, first with most VPN, you’re gonna be deploying a physical appliance. This means buying, waiting for it to get shipped, then racking it, powering it on, cooling it. So, it’s gonna be sitting in a rack. Most of the time, you’re gonna want to get a physical appliance because of the performance.

Number two, virtual appliances, uh, that are built for VPN were not built for the cloud. So, any time you go and you look at what’s available in, like, the AWS Marketplace, uh, you’re gonna see that one, the licensing is probably not very straightforward, and two, the scalability and performance seems to always be limited. So, if you have something that’s physical, that’s on-prem, where you’re doing thousands of connections and you have, like, gigabits of [inaudible 00:00:53], typically a VPN appliance that’s in cloud is gonna be limited to like 200 users and maybe 50 or 100 megabits per second.

All right. Number three, deploying appliances in active/passive clusters. So, this is usually how it’s done, especially on-prem. So, you have one box, that’s your active, that is doing all the work. Then you have another box sitting there consuming electricity, taking up rack space, uh, and it’s probably licensed in a way that’s, uh, pretty weird. So, the active/passive model that’s, uh, very common with physical appliances, uh, just doesn’t work. Uh, ideally, you wanna take advantage of every system that you’re running, uh, to get the highest scale and performance.

Number four, with VPNs, most of the time for your end users, there’s a decision that needs to be made right at the beginning, where will they connect? If you have VPN running right now, you can probably go to it and then see the dropdown of all the appliances that your organization’s deployed. It, it just makes it a hassle to figure out where do the applications live? Which one do I need to connect to? Which one’s the closest? Uh, which one gives me the best performance? Sometimes there’s inconsistent policies. Why even make that decision? With a ZTNA such as Banyan Security, they just log into one place regardless of where they are in the country or in the world and what they’re trying to access. Makes it super easy, no decisions for them other than, “I’m gonna go and make my connection.” Right.

The other problem with VPNs is they typically provide full access, so it’s always easier to start off with a Layer 3 tunnel that just drops your end user on the network. And at the end of the day, a lot of organizations still never get past that, uh, stage. They just say, “Ah, I’m gonna give everybody a Layer 3 access and let the applications decide if somebody can log in or not.” It’s insecure, that’s how DDoS attacks happen, that’s how malware spreads. Why even take that chance?

The other limitation for VPN is the end users have to remember passwords. So, there’s always a way for them to log in. Uh, oftentimes it’s user name and password, especially if it’s like a client list portal. So, they have to go and remember passwords or use a password manager. And there’s still people that, you know, either put it into a text file or on a p-… Or the end users, uh, are being confused with MFA. So, if they’re off premise, typically what happens is off premise, they have to, uh, log into the VPN. So, the system is doing a device check, they’re having to remember credentials, they’re having to use multi-factor authentication such as, such as a token or a push. And then they go on premises and, and then there, uh, they just connect to the WiFi and they’re able to access everything. They’re just using credentials. So, it becomes confusing. And with, uh, ZTNA products, you’re basically doing, uh, the same policy for device, same authentication whether you’re on-prem or off-prem. It’s really blurred. There’s no more off-prem, on-prem.

Another issue is, uh, one that we just mentioned. It’s the inconsistent authentication policy when you’re on-prem and off-prem. Uh, this is insecure, uh, and it’s confusing to end users. Same thing with device posture policy. It’s like there’s a bunch of implied trust when you’re on-prem. “I trust your device. I’m not gonna check whether it’s running malware. I’m not gonna check if you have your, uh, hard drive encryption enabled, if you have your firewall enabled. I’m just gonna take your credentials and you’re on the network.” That inconsistency is how, uh, problems occur. Moreover, when we talk about SaaS, VPNs weren’t really built for SaaS. A VPN is when you’re remote and you’re trying to access something on-prem, so SaaS isn’t even in the picture.

Um, so there’s a lot of inconsistency around the authentication policy. A lot of times you’ll see if you’re on a VPN, uh, you’re using multi-factor authentication, then you’re on-prem and you’re using just your user name and password. Then you w-… W- when you wanna go connect to SaaS, either you’re using something completely different like a IAM solution or another external identity provider, uh, or you’re having to remember a different set of credentials, uh, for, uh, different websites and stuff like that. So, when it comes to SaaS, a ZTNA solution will give you consistent authentication policy and it’ll enable device posture policy. So, a lot… Most SaaS applications don’t care about the device, and that’s another area where the device might be infected. Uh, it might not impact the application, but it could be stealing information, uh, from the site. So, you wanna enable device posture policy. Uh, it could be to check things like is this a BYOD versus corporate device? And you can create policies based on that. Or it could be some of the things I mentioned, “Have we enabled, uh, anti-virus? Is the, uh, firewall enabled on the device?” and so on.

VPNs also require many inbound ports, uh, to be enabled. At minimum, that’s like four different ports, uh, port 80, sometimes port 443 or 8443. You’re gonna have to enable things like SSH if you wanna have, like, proxied SSH. So, that’s just way too many inbound ports. Uh, with Banyan Solution, there are no inbound ports that need to be opened. It’s all outbound connections.

Uh, next is external… VPNs require external IP addresses. Um, so if you have an active/passive, if you have a bunch of these, uh, appliances around the globe, they all require external IP addresses. And nowadays it’s getting really hard to get, um, bunch of external IP addresses in some areas. We’re hearing people waiting six months from when they order IP addresses to actually getting them. With solution like ours, we take advantage of matting on the firewall. You don’t need an external IP address. You also don’t need to update DNS. That’s another big thing. That’s just one less step for your organization to do, uh, to get you up and running quickly. With a solution like Banyan’s ZTNA Solution, we can get you up and running in 15 minutes without ever having to touch your DNS server or your external firewall.

Not being able to immediately address out of compliant devices. So, your end users are gonna devices that may go out of compliance with a VPN. The first thing they’re gonna do is call IT. By the time IT takes care of it, uh, it could be, uh, Monday morning if the issue occurred over the weekend. So, not being able to address, uh, an out of compliance device or not being able to do something about it immediately, uh, is a huge concern. With Banyan’s ZTNA Solution, uh, as soon as we discover the device is out of compliance, the system automatically either will reduce the level of access…

So, if you have… Let’s say you have your financial system that’s a high risk, uh, system, they don’t have access to that. But if you wanna give them access to like an intranet site, uh, where it’s pretty much read only, uh, they can have access to that when they have a device that’s in low compliance. Uh, they might have turned off their firewall or they might be running some malware. You wanna be able to address that immediately, not wait until an IT guy can take care of it.

Uh, the last two, with VPN, it might require a different solution based on the device. So, we’ve seen where someone’s using MDM for mobile devices and connecting through a, an MDM proxy. Uh, and then for their Macs they’re using one thing, for Windows they’re using another thing, for Linux they’re using another thing. And then for third party users, they’re using yet again a different VPN. It gets really hard to manage. It gets hard for the end user to figure out what do they need to use to connect, um, just dep- depending on the device. Uh, there’s also different solutions that people deploy based on what they’re connecting to. If they’re connecting to, like, uh, RDP or VDI, they might be running, uh, through one system. Uh, and then when they’re looking at their internal applications, they might be using another system. Uh, so this again, it just becomes really confusing and there’s a lot of things to manage.

So, these are 17 different, uh, reasons why you might say M-… uh, VPN stinks or it might be 17 reasons why you should consider, uh, getting a zero trust network access solution like Banyan’s. Uh, thank you for watching this video. Please check out some of our demo videos, uh, to see how it works. It’s really slick. We can get you up and running in 15 minutes, uh, and your end users will be much, uh, happier with the end user experience. Thank you.

Close Transcript