Updated May 15, 2023. Originally published October 27, 2021.
As an security professional, you’re likely accustomed to user complaints about the speed and stability of their VPNconnections. Employees need to quickly access systems and stream video calls but are constantly getting disconnected or experiencing disruptions of service due to poor VPN performance. Have you ever stopped to think about why this is?
This blog post will explain how VPNs work, why they gobble up bandwidth, and what you can do about it.
Virtual Private Networks (VPNs) are virtual tunnels that connect networks to one another in order to enable communication. VPNs were introduced years ago as a point solution to enable branches and remote employees to connect to the corporate network, from time to time. They were never designed or intended to support entire companies working from home, and it is therefore not unexpected that VPNs are struggling to keep up with the modern world's demand for secure remote access. Indeed, as volumes of traffic continue to grow and global remote connectivity needs skyrocket, VPNs are proving to be a bulky, slow and insufficiently secure solution.
VPNs typically work by “stacking” network protocols one on top of another in order to transport payloads between private networks over the public internet. Three of the most common VPN protocols today are IPSec, PPTP and L2TP.
These protocols operate differently from one another at the technical level, but the following statements are generally true for all of them:
They are stateful protocols and require a “heavy” negotiation and a “handshake” before the connection is established.
They typically require “exotic” network configuration like UDP 500, TCP 1701 and IP protocol number 50 - which are not typically open in firewalls along the way, and some countries may even block them entirely.
As these protocols “stack” the user payload inside of them, they typically bloat the payload and can add anywhere from 10 to 25 percent of overhead!
In addition, VPN packets are routed through the public internet’s best effort route. This is not always the most optimized or efficient way to connect to a given site, which can result in latency and low performance.
As you've no doubt experienced yourself, connecting and routing via a VPN may take a very long time. And until the VPN does connect, users cannot access business resources and be productive. Even a simple reconnect due to a network failure could take an extended amount of time.
This delay becomes especially problematic when users need to connect to a variety of different sites. When establishing a VPN connection, the user is required to choose which site to connect to before the session starts. For example, “US-WEST” vs “US-EAST.” If resources are needed from another site, the user must disconnect and then reconnect, adding even more wasted time and inefficiency.
All users are impacted if they have to connect through VPNs. However, poor VPN performance especially affects users who:
Require real-time streaming, like video calls or online games
Use applications that require low latency, like RDP and CAD
Operate in environments with limited bandwidth
The Cyolo zero-trust access solution uses the HTTP/2 over TLS protocol to transport user payloads. HTTP/2 is a stateless protocol, which means it does not require a heavy handshake in the beginning. As a result, HTTP/2 does not add a lot of overhead to the payloads. TLS is one of the most popular protocols on the internet and thus it is seldom blocked.
Since this typical internet protocol is not blocked or stateful, access is provided to all approved sites immediately, without having to choose which site to connect to or requiring the user to disconnect from one site in order to connect to another. This ensures a smooth process that powers business agility.
In addition, encapsulation takes place directly over HTTP/2 over TLS, which adds only minimal bloat to the packets and contributes to quick and optimized routing. Finally, when routing these packets, they are optimized over the congestion-free AWS network to ensure speed and stability.
Let’s look at a comparison of the two connectivity solutions.
Cyolo Zero-Trust Access
Stateful - requires negotiation
Single - one site at a time
Multiple - all sites at any time
Many additional layers
Distributed systems, cloud connectivity and remote work all require IT systems to find new and more innovative ways to ensure a secure and efficient connection for employees.
To learn more about replacing or augmenting your VPN with zero-trust access, click here or schedule a meeting with our team.
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.