Cybersecurity
Insights Into Corporate VPN Gateways
What are VPN gateways for? Does this class of solutions have a future? What parameters should be considered when protecting communication channels?
Many organizations are experiencing an urgent need to protect transmitted data. The massive transition to remote work has only strengthened this trend. What determines the choice of a VPN gateway — its functionality, price, or the availability of the necessary certificates? Let us take an in-depth look into these issues.
How a VPN gateway can be configured
As for the practical options for using crypto gateways, the protection of video communication channels, telemedicine, and secure access to the official state portals have recently been in demand. In general, we can talk about the common scenario when the user accesses specific resources. This can be a secure communication channel with an IDM system, a cloud platform, or a single entry point through which routing to other resources is performed.
Technically, there are two scenarios for using crypto gateways: site-to-site and client-to-site. The site-to-site scenario has two sets of requirements. The first is a geographically distributed network: for example, a dozen branches united into a common VPN network. The second option is a secure channel between two data centers.
The tasks of protecting corporate data in transit can be divided into policy-based VPN and route-based VPN. The latter option becomes relevant when the number of nodes increases to several thousand devices. In the case of protecting the backbone, then low-level solutions and a point-to-point topology are usually used.
Speaking about the protection of highly loaded channels, one cannot be only limited to the point-to-point architecture. The point-to-multipoint architecture solutions are in great demand on the world market. Highly effective is the protection of the channel at the L2 level since only this approach can guarantee the absence of delays.
It should be kept in mind that site-to-site protection can be implemented at both the software and hardware levels. In the latter case, the customer can choose the implementation option in terms of, for example, the speed characteristics of the protected channel.
Due to the increase in the number of employees working remotely, the need for client-to-client scenarios has also grown, that is, for building a VPN connection directly between users. Such channels are used for fast communication, video conferencing, telephony, and other tasks.
However, there was no significant change in demand and technological solutions when implementing point-to-point communication. They use stream encoders which provide a good connection speed. On the other hand, there is a growing demand for more efficient communication channels between data centers. In some cases, it goes about connections with a bandwidth of more than 100 GB, requiring an entire cluster of VPN gateways.
In turn, the scenario of organizing remote access during a pandemic has shown significant growth, and it is in this sector that the main problems with scalability occurred. Not only the scale and technological solutions have changed, such as the use of specialized load balancers to distribute the load between tens of thousands of VPN connections, but also the project implementation timeline has become much shorter.
Concerning the way how the crypto gateway use scenarios are related to the required compliance level, it should be noted that the threat model is of primary importance in this matter. The compliance level can be explicitly indicated in the regulatory documentation or independently determined by the organization.
Technical nuances of choosing a VPN gateway
As for the differences in encryption of VPN gateways and the cases when they are used, keep in mind that the gateway usage model largely dictates the level of protection. There are various technical means of implementing the L3 protection level; however, designing a working L2 network, in this case, is problematic, although fundamentally possible. As for the L4 level, it is actually becoming the standard for accessing both public Internet resources and corporate sites.
Data redundancy and fault tolerance are important criteria for choosing a VPN gateway. Remember, it is necessary to take into account the fault tolerance of equipment and control systems. The important parameters are also the speed of switching to a backup working cluster in case of an emergency and the speed of restoring the system to a normal state.
Rather often, hardware does not have the mean time between failures level declared by the supplier. Therefore, for the equipment used on the backbone, it is important not to forget about the basic means of fault tolerance, such as dual power supply or redundant cooling systems.
Alternative solutions for protecting communication channels
Other important topics that should be touched here are possible alternatives to VPN gateways, as well as ways to integrate solutions for cryptographic protection of the communication channels with other security tools like firewalls to ensure better protection against different threats.
In addition to crypto gateways, high-performance hardware encryption devices can be used to protect channels, as well as their virtual counterparts, which are flexible enough to work at almost all levels of the OSI model. In addition, there are small, single-board solutions in the transceiver form factor and modules that can be embedded in IoT devices.
Experts predict that individual crypto gateways as devices will gradually leave the market, giving way to integrated systems. There is another point of view: as a rule, universal systems are cheaper, but their effectiveness is lower than specialized solutions. Successful integration can also be carried out in the cloud at the service provider level. In this case, the service provider decides the compatibility issues, and the client receives a universal solution with the necessary functionality.
Market forecasts and prospects
I see a great need to increase the speed of crypto gateways, and solutions of this class will be developed to satisfy this request. Integration processes will operate on the market, but the result of such a movement is still unclear. The VPN gateway industry will be driven by IoT devices, 5G technologies, and the continuing growth in remote work popularity. Some new niches for cryptographic protection tools can be industrial control systems.
As support of secure VPN channels at the enterprise level requires a high degree of expertise, customers will increasingly change the model of using such information security solutions, outsourcing the management of crypto gateways to service providers. An important trend will be an increase in attention to the UX component of crypto gateways, an increase in the convenience of working with them.
Another point of view is that the crypto gateway market is doomed, and in the next five or ten years, such solutions will turn into a niche product. Universal solutions and localized equipment will replace them. Nevertheless, the class of TLS gateways will evolve.
Conclusion
When choosing means of cryptographic protection of communication channels, it is necessary to take into account not only the functionality of a particular solution but also its compliance with the requirements of regulators. Considering various options for VPN gateways, it is worth thinking about the scenarios for their use, as well as solving the issues of integration with other information security systems. In some cases, a specialized system may better ensure security; however, universal, multifunctional solutions often have the best cost efficiency.