| technology | system admin - David Chapman
Why VPNs Will Be Obsolete in 2021
Virtual private networks (VPNs) are becoming more obsolete, largely due to web applications being internet accessible and as powerful as their thick client predecessors that required VPNs. Plus, they are already encrypted with strong and robust cryptographic protocols like TLS.
In recent years, TLS has evolved more dynamically and stayed more secure than its VPN counterpart. With the rollout of IPv6, drivers that required NAT and VPN will be going away once IPv4 is fully deprecated. Viable alternatives exist such as bastion hosts and web gateways that mitigate the need for site-to-site tunnels for administrative purposes.
How and where people consume these services has changed over time as well. Previously, employees would just access them at their office via work computer. Today, people want to be able to use tablets, smart phones, home computers, wherever they are. They do not want to be bothered with VPN software. To understand why VPNs are obsolete, it is helpful to understand why we needed them in the first place.
VPNs Used to Be Necessary
We take for granted the need for VPNs today. We understand that our corporate networks usually have private internal IP addresses and do not question it much. It is easy to think, "this is just how it is". More than 25 years ago, this was not the case. In the early 1990s, it was common for workstations and servers to be directly assigned a public IP.
Stateful firewalls were non-existent. Packet filtering, if any, was done on the internet or edge router. Usually these had enough CPU for a handful of rules before performance became an issue. Servers that provided publicly accessible services were already online because of this — allowing it may have just been a matter of adding an ACL to the Internet router.
As public IP space started to exhaust, we started seeing some RFCs to deal with the issue, such as RFC 1597, RFC 1631 and RFC 1918. Using RFC 1918-compliant addresses started causing new issues. Design decisions had to be made, such as, whether publicly accessible servers would still be given a direct public IP address or a private IP address. If given a private IP address, certain protocols did not play well with NAT. FTP is one such protocol still in existence due to the fact that it carries important IP and port connectivity details in the payload of the packet.
IT pros needed ways to tunnel private addresses from one location to another over the internet in order to help avoid costly private circuits. End users needed a way to connect into these resources remotely or from other locations. To help meet this need, stateful firewalls started coming out with enough power to handle NAT, protocol "fixups", and VPN tunnels. If you wanted to access a Microsoft Exchange server pre Exchange 2003 (which supported RPC over HTTPS), you had to VPN in or use a Terminal Server. Again, this was the case for many applications because the protocols to access them did not play well with NAT. During this time, websites were fairly static.
1. Modern Web Applications Are Already Secure
Today, nearly all major applications are web-based or use web services. Accounting software, file sharing services, video conferencing, and chat applications are all accessible through the web browser. No installation is required. All that is required is to have an updated browser and you are good to go. A decade ago, we were still having to use plugins for web browsers to get here. Further back, those types of applications required thick clients along with a VPN client.
With improving web application frameworks and platforms, more has been achievable via web browsers. Company equipment is not necessarily required to access the data. Employees can be provisioned lower-end and more cost-effective devices based on need. By doing this, data is much easier to protect.
2. TLS is a VPN of Sorts
One issue that's always raised is security. HTTP by nature is plain text. It relied upon SSL in the day and now TLS in order to encrypt and secure that traffic. Initially, SSL was just used for web pages, but then started extending to mail server connectivity. Now it can be used as a secure application tunnel for a variety of things.
The past five years, security in terms of web applications and internet-accessible applications, has been rapidly increasing. As a result, it's hard to find a site or web service that is not fully secured with TLS. Browsers now warn users when a site is not fully encrypted or dependencies are not encrypted. They have also started to be highly verbose when crypto ciphers being used by the servers are not secure enough. In many cases, they completely block the user from accessing that resource.
Much of the traffic that traverses the internet now is encrypted using TLS. Other standards are pushing for or requiring internal network traffic to be fully encrypted as well. Further encrypting only wastes resources, increases costs and decreases performance. TLS encryption is constantly evolving and will negotiate up when possible. When a server starts supporting a new TLS version, it will announce that to the clients connecting. If they support it, the connections will start using it.
On the other hand, servers and load balancers can set minimum TLS versions to set a base standard easily. It is also up to the server to choose a viable cipher that the client offers. It can reject the connection if it deems the available ciphers weak. With Site-to-Site IPsec tunnels, the encryption mechanisms are hard coded and do not upgrade in the same manner. They are not usually changed or upgraded unless an audit indicates findings that requires it. Some of these tunnels purposefully use lower encryption settings due to performance as the hardware can not keep up with configuring the strongest encryption available at the time of standing up the VPN.
The Payment Card Industry Data Security Standard is a huge driver for the increase in security. PCI DSS 4.0 requires end-to-end encryption in areas that previously did not require it. Many legacy protocols are even being encapsulated in a TLS tunnel to help maintain security. Regular users are demanding end-to-end encrypted chat communication and storage on their personal devices. Encryption is here to stay — even without VPN.
3. IPv6 Has Plenty of IP Addresses
The exhaustion of IPv4 space led to the need for private addresses. This pushed many organizations into NAT and VPNs. IPv6 has been kicking around for a few decades, but at some point it will have to be fully adopted. It promises to have enough IP space for quite some time.
From an exhaustion perspective, it will be unnecessary to use private IPs. Some organizations may choose to have private IPv6 addresses, but many will just put workstations and servers directly on the Internet to avoid NAT and other complications. Either way, they will be put behind the latest generation of firewalls, though, unlike the initial rollout of IPv4 systems.
4. Total Cost of Ownership for VPNs
The total cost of ownership for VPN can be expensive. Many large organizations have dedicated VPN termination points that are highly available. Encrypting and decrypting VPN traffic requires a bit more CPU than just routing the traffic or even doing stateful inspection. In addition to hardware costs, there are licensing costs for various VPN functionality. Some vendors require you to license IPsec functionality while others provide that freely as a base feature, but charge a premium for Point to Site (user VPN) clients and are tiered based on feature.
If your organization uses VPN quite extensively, you have a dedicated network administrator just for them. Spinning up new VPNs can be complicated, particularly if the other end has an overlapping IP range and NAT needs to be involved. It requires coordination with the other entity/location and the encryption settings need to be identical. If you only have a few tunnels, you may not have a network administrator and struggle to set them up and support them.
5. Alternatives to VPNs Exist
Another technology that has been around since the 1990s seems to be resurfacing in new use cases: the bastion host. Some people call it a jump box, but it is simply a highly secured server that allows people to connect to further secured resources.
For Windows, this may be a remote desktop gateway that listens over HTTPS/443 to protect your RDP/3389 servers. On Unix, it may be a highly secured SSH server where SSH might listen on a non standard port. Azure has been busy rolling out a dedicated service offering for this called "Bastion" over the past 6-8 months that minimizes the configuration necessary for end users.
VPNs Won't Disappear Overnight
There are still some cases where VPNs are needed. Many environments that depend on them will not change overnight or possibly ever. Sprawling Active Directory topologies are one example. Organizations with extensive private networks will not go through a re-IP "just because".
Larger businesses are unlikely to re-architect, but newer and smaller businesses are opting for technologies like Azure AD along with joining machines directly to Azure AD in scenarios that support it. This waives the need for VPN.