From VPNs to Zero Trust
5 minutes read (1137 words)
September 20th, 2023
Over the past two decades, corporate network security has undergone a dramatic evolution. What began as a perimeter model based on VPNs and firewalls has gradually transitioned into the emerging zero trust paradigm. This evolution has been driven by advances in technology, the rise of the cloud and distributed workforces.
In this post, we will explore:
- The early firewall and VPN model
- Overcoming VPN limitations
- Principles of zero trust
- Technologies enabling zero trust
By the end, you will understand both the limitations that drove the evolution away from traditional VPNs, as well as the innovations which make more dynamic zero trust networks possible today.
The Early Firewall and VPN Model
In the late 1990s, as corporate networks began connecting to the open internet, a perimeter-based security model emerged centered around firewalls and VPN concentrators.
The basic architecture looked like:
- Corporate network
- Private LANs and resources
- Implicitly trusted internal access
- Gateway between corporate network and untrusted internet
- Allow/deny traffic based on ports, protocols and IP addresses
- VPN concentrator
- Outside the firewall to allow encrypted remote access
- Tunnel to funnel and authenticate remote user connections
- Client/server or hub-and-spoke architecture
Key goals of this model:
- Clear security boundary between trusted internal network and untrusted external networks
- Limit attack surface by funneling connections through controlled choke points
- Authenticate and authorize remote users before allowing access
- Prevent leakage of private internal resources to public internet
Securing the Corporate Network Perimeter
Firewall and VPN appliances provided a pragmatic compromise given the state of technology in the late 90s and early 2000s.
At the time:
- Internet connectivity was still relatively new and viewed as inherently insecure
- Encryption was very costly to implement at scale
- Security relied on controlling traffic at network perimeter choke points
- Most network traffic stayed within privately owned LANs and WANs
- Devices were largely corporate controlled on corporate premises
So it made sense to funnel all access through dedicated gateways that inspect traffic. Resources inside the network perimeter could be implicitly trusted and accessed directly.
This allowed companies to connect to the internet, while maintaining a clearly defined security boundary.
Challenges with Remote Access
While firewalls and VPNs enabled secure remote access, some key challenges emerged:
- Complex firewall configuration:
- Rules based on IP made granular policies difficult
- Every firewall needed updated for network changes
- Risk of misconfiguration leaving security holes
- User management:
- Authentication used OS schemas like LDAP
- Limited integration with enterprise identity systems
- Scaling bandwidth:
- Traffic bottleneck through VPN concentrators
- Difficult to add redundancy and failover
- Application security:
- Network layer unencrypted on internal LANs
- Additional security required for apps like SSH and HTTPS
These limitations would gradually become more acute over time, as networks evolved and new technologies emerged.
Overcoming VPN Limitations
Throughout the 2000s and 2010s, rapid technological changes in 3 key areas drove networks to move beyond the traditional VPN model:
- Identity management - More granular user and role-based access controls.
- Encryption - Faster and cheaper encryption on local devices.
- Cloud networks - Dynamic network environments requiring more flexible security.
Let's look at each area:
Improved Identity Management
Traditionally, VPNs relied on directory services like LDAP and RADIUS for user authentication. As identity management systems advanced, it became possible to integrate richer user contexts into network security policies.
- Centrally managing users and roles
- Federation with cloud apps and social login
- Multi-factor authentication
- Contextual and risk-based access policies
Allowed user identities to become the core of network access controls, rather than just IP addresses.
In the 1990s and early 2000s, encryption was resource intensive and time consuming. Algorithms like AES, along with faster processors and crypto accelerators, made encryption much more efficient.
- Encrypting traffic at the edge on user devices
- Establishing encrypted connections without a central VPN bottleneck
- Scaling networks with distributed encryption performance
Encryption could be ubiquitous instead of limited to VPN tunnel endpoints.
Dynamic Cloud Networks
As organizations began adopting cloud technologies, network architectures had to become more flexible and agile.
- Rapid provisioning of virtual resources
- Frequent changes in devices, users and roles
- Resources moving between on-premise and cloud
- Expanding ecosystem of SaaS apps
Required security to be identity-centric, context-aware, and dynamically responsive to changes.
Principles of Zero Trust
These technological advances paved the way for a new security paradigm - zero trust. Instead of securing a static network perimeter, zero trust focuses on:
- Never trust, always verify
- Ensure devices, users and network traffic are authorized
- Least privilege access
- Only allow essential access, limit lateral movement
- Encrypt everything
- Encrypt data in transit and at rest
- User/role based access
- Focus on identity, not network location
- Security across all layers
- Consistent controls across network, cloud, devices and apps
- Dynamic risk-based policies
- Adapt access based on contextual signals like device, location etc.
This allows much more flexible and granular access controls, that can accommodate factors like cloud networks, BYOD, and global distributed users and devices.
Key technologies that enable zero trust include:
Cryptography and Key Management
Encrypting network traffic end-to-end prevents eavesdropping and tampering. This requires:
- Efficient encryption protocols like TLS and IPSec
- Cryptographic APIs to integrate encryption into apps
- Key management systems to issue, rotate and revoke keys
Encrypting data at rest prevents breaches. Tools include file and disk encryption, tokenized data etc.
NAT Traversal and Tunneling
Network address translation (NAT) and firewalls can prevent direct peer-to-peer connections. Solutions include:
- Tunneling protocols to encapsulate connections in UDP/TCP
- STUN and TURN to discover and relay NAT bindings
- Hole punching to dynamically open firewall ports
This enables encrypted tunneling through NAT devices without modification.
Mesh topologies allow direct peer connections between devices, without funneling through a central hub. Benefits include:
- Avoiding bottlenecks, single points of failure
- Peer nodes can dynamically join/leave
- Traffic takes optimal path through mesh
- Easy to incrementally deploy
Microsegmentation divides networks into smaller segments with granular policy enforcement between segments. This contains breaches and limits lateral movement.
Analytics and Automation
Zero trust requires continuous assessment of risk signals like user activity, device security hygiene, vuln scans etc. Automating dynamic policy enforcement reduces reliance on static rules.
Evolving from perimeter VPN models to zero trust networks enables organizations to keep pace with cloud adoption, mobile workforces, and distributed technology ecosystems.
Key drivers of this evolution include:
- Limitations of traditional VPN architecture - Inflexible, complex, traffic bottlenecks
- Advances in identity management - Granular user/role access controls
- Ubiquitous encryption - End-to-end protection of data in transit and at rest
- Dynamic cloud networks - Require continuous security monitoring and context-aware controls
With careful planning and implementation, organizations can transition to zero trust in an incremental way. The result is networks that provide only essential access based on least privilege principles, while enabling users to securely connect from anywhere on any device.