Virtualization Technology News and Information
It's Time to Retire the Hero of the Covid era, the IPSec VPN

By John Spiegel, Director of Strategy, Axis

We are quickly approaching 3 years since our concept of work changed.  On March 11th, 2020, the WHO declared Covid-19 as a pandemic.  During the next 7 days, the world shifted quickly.  Impacts were life-altering.  For those in IT, the scramble was on to create the conditions for remote work.  The survival of the company depended on it.  A few adopted new approaches while the majority doubled down on a solution with origins in the mid-1990s.  Yes, you read that right.  At the time when Coolio's "Gangster's Paradise" and TLC sang about "Waterfalls", the IPSec VPN was born. 

25 years later, the IPSec VPN was the technology that saved the world from certain economic disaster.  Is it a hero technology?  Well, it depends on your vision of a hero.  To me, the technology represents a worn-out version of Marvel's X-Force.  They've fought many battles and suffered injuries and now their timing is off.  As a result, they are a risk to themselves and to those who want to do good.  It's time to retire them.  All of this said the IPSec VPN had a good run.  The technology that allowed for secure remote work was a lynchpin for interconnecting branch locations over the Internet and was a core technology to SDWAN.  But now, like an old group of superheroes, time is taking a toll.  IPSec's code base has grown (now estimated at 400K lines of code for Open VPN), the security vulnerabilities are piling up and the bad cyber actors are targeting it. 

A study by the Alliance Virtual Office stated there has been a 238% rise in attacks against remote workers.  In the same study, 69% reported using home equipment for work duties, 70% reported using their work devices for personal use and 30% allowed others outside their organization to use their office devices.  Add to this, attacks like ransomware continue to mount, accounting for 20% of cyber breaches by 2022 with the average ransom increasing by 171% to $312,000.  Then there is this. The cost of a single breach is now estimated at $4.54 million.  Meanwhile, the costs to launch these attacks are declining. The average ransomware attack costs roughly $1000 to get to the point where the "Enter" button is pressed.  Taken all together, it is time for a new approach. 

Enter the Security Service Edge or SSE.  The term was coined by the analyst firm Gartner in 2019 as part of its Secure Access Service Edge (SASE) framework.  The concept was targeted at addressing the dilemma proposed by Cloud and Cloud services like SaaS and PaaS.  Previously inserting security into networking resulted in a tough decision.  IT leaders faced a choice.  Do I secure the network traffic and impact an application's performance and as a consequence, employee productivity?  Or do I hope for the best?  This was due to where security services were located, mainly in the corporate data center or a regional hub.  As a result, traffic had to be diverted and run through a series of expensive sheet metal pizza box devices which more often than not, did not integrate in any way.  The penalty for doing so could result in a 20% to 50% performance hit.  As a result, most IT leaders preferred to allow the traffic not to be treated. 

SASE and SSE changed the game.  Instead of centralized or regional locations for security processing, SASE and SSE leverage remote points of presence (PoPs) located close to the source of the traffic, often a branch office or remote worker.  The result increased performance with security too!  Game changer!!!  Yes, but there is sometimes a downside.... many of the traditional networking and vendors quickly transitioned to this space.  To pivot quickly, their new SASE or SSE service continued to use the traditional always-on IPSec VPN.  Why?  It was something already built into their product and the cost to re-engineer was not palatable.  So, new framework, old technology as the foundation.  Not ideal if you are a customer looking to protect your company against this new landscape of cyber threats against the emerging hybrid workforce. 

What is to be done?  Who or what will replace the IPSec VPN?  And what should you ask when considering a transition to SASE and SSE?  First, consider your objectives and take inventory of your network and security portfolios.  What is your most significant risk?  What are you looking to protect and finally, can I optimize my budget in the process?  Once you've done that, create a short list of vendors.  As you discuss your project with them, ask about the usage of IPSec.  Is it a foundation of their product or not?  If IPSec is their only option, think hard. Several vendors in the space have replaced IPSec VPN with Wireguard.  Wireguard is the faster, more secure version of the superhero. It is the next generation. Wireguard clocks in at 4000 lines of code, has minimal attack surface, provides high performance, and most critically is cryptographically sound.  Another critical point to consider is IPSec VPNs maintain an active connection.  What this means is while the agent or client is active, a tunnel exists between the endpoint device and the home network.  This attaches the device directly to the network, often with little to no security inspections.  Therefore, a bad actor can hop a ride onto the corporate network like a ghost following you home.  Wireguard, on the other hand, does not require an always-on connection.  It only activates when there is a request for access to an application.  Further, when included as part of an SSE platform, the system can run a series of checks.  Is the traffic normal, does the device have the correct credentials, is the anti-virus active, and so on?  If there is a change in state, the connection can be severed in seconds.  Greater security as well as visibility. 

As we approach March 2023, it is time to retire the superhero who saved the world.  IPSec has had a good run but now there are better solutions on the scene!  As you make the transition to SASE and SSE, thank the hero but know a new one is on the block to protect us all. 



John Spiegel, Director of Strategy, Axis

John Spiegel 

John Spiegel has 25 years of experience running global networks and managing infrastructure. He is an industry pioneer in software defined networking (SDN) and software defined WANs (SD-WAN). John has spoken on the topic network transformation at industry conferences such as Gartner, InterOp, VMWorld, Palo Alto Networks Ignite as well as executive roundtable discussions. He has also been a customer advisor to companies like VMware, Palo Alto Networks and Cisco Systems. Disruptive startups have also leveraged John's knowledge to bring products to market resulting in successful exits. When not helping companies on their journey to modernize and secure their networks, John can be found cycling on the backroads of Oregon.

Published Wednesday, March 01, 2023 7:34 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2023>