This is a guest post written by Hart Ripley of Arctiq Inc.
Times have changed, and so should your VPN.
I’ve installed and used more endpoint VPN clients that I want to recount. All requiring their own quirky configurations and hard-coded IP addresses or connection points. When you travel to another country, you may connect all the way back to the single VPN concentrator, and if you are fortunate there will be a close option with localized access. These types of configurations are very static and focused on “where are you coming from” and “where are you connecting to”, enforcing a simple yes or no.
Where are things headed now? Remote access has evolved over the past few decades, here is some perspective into the current landscape.
The Shift
There have been major shifts in how users interact with resources, and the platforms that deliver content are continuously changing. Consumption and connectivity can come from anywhere in the world, from different platforms and devices, and many people have more than one. It is no longer feasible to tie security to a physical location - the focus must be on the user and secure, pervasive access across the organization. The user demand is for fast, on-demand access to resources. The expectation of excellent performance has never been greater.
The challenge at the forefront is determining the best way to secure this access while maintaining usability for users and devices and ensuring administration remains simple.
This altered consumption model requires increasingly automated infrastructure that is software-driven and can adapt to new architecture requirements, integrations and user demand. Automation will enable these solutions to scale while cloud embraces agility, availability and makes "always-available" a reality.
What is the difference between traditional VPN and SDP?
The days of point-to-point VPN’s, RAS’s and limited connection points are no longer practical. They require administrative upkeep, constant rule changes and are defined by source and destination networks rather than a user. This approach doesn’t scale and in no way provides proper governance or pervasive security.
The industry has a new spin on how to solve these challenges. Gone are the days of traditional VPN, the way forward is a software-defined perimeter or SDP.
Maybe you haven't heard of SDP, many haven't. It's, yet another buzzword without obvious meaning. Let me break it down:
The software part simply states that it is orchestrated and controlled from a software system and not dependant on the underlying hardware. It can run in different environments on many platforms, while still being managed from a centralized console. As more and more controls and architectures move to a software-driven approach, security and access must align.
The perimeter is the grey area today because it’s changing. Essentially the perimeter is now the devices or users accessing resources. The perimeter is extending out to the endpoints vs. the traditional approach of tunnelling the assets to the perimeter, typically within the data center walls.
As you may have experienced, the legacy approach doesn't scale well and becomes tedious to manage from an administrative perspective. It also doesn't fit the mobile first or access anywhere philosophies that are now a mainstay. If you can unify and secure all access to internal, cloud and other business assets from unsecured networks you will be better prepared for changing landscapes.
How does secure remote access apply to Arctiq?
Like many of our customers, we have expanded our labs and dependencies across on-prem and different cloud providers. We are living through the shift and experiencing it first hand. We are also users of the software and services we offer to our customers; they have been built into our workflows and we can confidently give real-world feedback to our customers and work with them as experts.
It wasn’t practical to manage a lab VPN with a specific client, profile and access control for a singular environment. We have lab resources in AWS, Azure, and GCP, dynamically scaling up and down, we needed a common way to securely connect and manage all assets without maintaining ACL’s, credentials across all platforms and seamlessly share resources between these environments. Arctiq set out to solve these challenges for ourselves, while at the same time exploring the offerings to assist our customers in their quest.
Arctiq’s Challenges:
- Poor VPN performance
- Lack of local presence (PoP) when traveling
- Different clients and connection mechanisms to access different lab resources
- Difficult to enforce endpoint security and multi-factor authentication
- Ongoing management of NAT rules, having to expose entire services to the outside world
Why Meta Networks for Arctiq?
- Open platform, native API
- No single vendor lock-in
- Support for all OS’s
- Cloud-native - deploy anywhere
- Global footprint, single logical network and security solution
Arctiq follows a “software first” approach when providing solutions to customers. It is only fitting that the same philosophy is used for our internal requirements to help support our customers, provide insight and demonstrate these flexible solutions.
We were looking to enhance our existing remote user connectivity from a point to point access model to a more secure solution with MFA to our distributed lab environments. The access is required from all the devices a user may have, tablet, smartphone or laptop. The solution needed to have a single, dynamic connection point globally and be highly available and redundant. Meta Networks’ platform is built completely as a native SDN. All appliances are virtual and can be run on any Cloud Service Provider (CSP) or on-prem hypervisor, actually any Ubuntu machine.
Why is software-driven so important? A cloud-based overlay is the best way to integrate all resources and connectivity under a single platform. It is true, identity-based unified access.
Some important requirements for us:
-
- No requirements for hardware
- Zero-touch maintenance
- Multi-OS support
- Simple setup/onboarding
- Unified and secure access method to labs (company wide)
- Securely connect to run and present customer demos/PoC’s
- Multi-cloud (hybrid and cloud to cloud) with API automation
Meta Networks manages the cloud infrastructure. That gives us peace of mind, knowing that it will be monitored and maintained 24x7 by experts. It’s globally redundant by nature, loss of a PoP or Meta Port is "self-healing" with a proper upfront design.
Beyond Secure Remote Access
Secure remote access is a great starting point; however, DC's, branches, remote offices all benefit from the unified overlay with identity-based access control.
Here are some other key uses cases made possible by the Meta Network-as-a-Service:
- Site-to-site, multi-cloud connectivity
- Hybrid cloud connectivity
- Cloud Security
What made the Meta NaaS stand out against other offerings?
Meta Networks fit the agile and scalable requirements Arctiq was looking for. No hardware was required and the solution was deployed in a few hours across Arctiq’s lab and cloud environments. Client onboarding is extremely intuitive and with many different OS platforms in use, it was crucial these would all work day one.
How has Meta Networks solved Arctiq's challenges?
We were using a hardware-based VPN appliance with a group password (insecure) and lack of 2FA - only username/password to connect to each lab environment. With cloud labs, there were many different VPNs and connection points, all requiring different clients/methods and separate credentials.
Meta Networks uses certificate-based authentication and also 2FA with app or text. This presented us with many secure connection options, most importantly through one single connection point into the overlay to access all lab resources.
Our employees need to be very agile, while still having access to all lab resources from anywhere. The software was quick and simple to onboard on user devices, and our team has made the transition easier. Meta Networks’ single client connection has simplified the number of profiles and connection methods down to a single connection, supporting all OS platforms. In addition to the VPN connection to the overlay, Meta provides browser-based remote access that requires no setup on the user side.
An Interoperable Platform
Meta Networks offers a full API to interact with the overlay in an automated and secure fashion. This also encourages partnerships and shared intelligence when it comes to security in a multi-vendor environment. Want to use your existing NGFW vendor on Meta Networks overlay? No problem, this is fully supported and simply becomes a virtual gateway (VGW) or a point of egress. Other network security services such as content filtering or CASB may be integrated into a service chain. Administrators can continue to use and support familiar platforms, but more coherently and efficiently.
Conclusions - Why is a cloud-native focus important?
The shifts in consumption increase the need for an overall platform that can centralize network security, regardless of location and provide consistent access through a single, global connection point. A cloud Network-as-a Service ensures users connect to the nearest global POP and enforces common security amongst all entities within. It also is the single connection point to all services, including SaaS/IaaS/PaaS. Endpoints are less vulnerable to malicious activity or infections, by leveraging the overlay their communication is always encrypted and subject to the centralized security standards for both enterprise and internet traffic. Since the overlay is programmable, it offers flexibility without the need for complex routing expertise or re-design of an existing network.
About Hart Ripley
Hart has over 10 years experience in architecting enterprise environments, delivering, and managing global network and security solutions. Working in unique environments has provided Hart with a strong competence in multi-vendor interoperability and invaluable experience, which serves well to help clients in the most complex of environments. Hart has focused on building strong network foundational knowledge with an emphasis on security, environment hardening, and implementing best practices.
About Arctiq Inc.
Arctiq is a services-led firm providing expertise in the new world of IT transformation. We help clients build continuous improvement strategies using automation, orchestration, DevOps methodologies, security, and customized workflows. Arctiq helps development teams focus on development efforts and not infrastructure. Efficiencies are achieved through microservices and container-based solutions, self-service enablement, and repeatable deployment methodologies. Arctiq's solutions help reduce risk and simplify tasks through standardized frameworks, workflow automation, and foundational IT practices."