Introduction
Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a public network, such as the Internet, to access corporate resources and services. VPN is widely used by remote workers and mobile users who need to connect to their organisationโs network and applications. However, VPN also has some limitations and challenges, such as performance degradation, bandwidth consumption, complexity, and security risks.
Secure Access Service Edge (SASE) is a new concept that combines network and security functions into a unified cloud-based service. SASE aims to provide secure and fast access to any application, anywhere, and on any device. SASE solutions, such as zScaler and Entra global secure gateway, leverage modern security approaches, such as zero trust network access (ZTNA), cloud access security broker (CASB), and software-defined perimeter (SDP), to protect the data and identity of the users and devices.
The purpose of the next sections is to assess broadly how a VPN and SASE can access corporate resources and services (Cloud and non-cloud based). It will contrast the five main VPN options and their advantages and disadvantages from a network speed, reliability, high availability and security point of view. It will also suggest a VPN option or a No VPN option that uses modern security methods and functions.
VPN Options
There are five main VPN options that can be used to access corporate resources and services. They are:
- VPN Forced Tunnel: 100% of traffic goes into VPN appliance, including on-premise, Internet, and all SaaS/M365
- VPN Forced Tunnel with few exceptions: VPN tunnel is used by default (default route points to VPN), with few, most important exempt scenarios that are allowed to go direct
- VPN Forced Tunnel with broad exceptions: VPN tunnel is used by default (default route points to VPN), with broad exceptions that are allowed to go direct (such as all Microsoft 365, All Salesforce, All Zoom)
- VPN Selective Tunnel: VPN tunnel is used only for corpnet-based services (typically on-premise). Default route (Internet and all Internet-based services) goes direct.
- No VPN: A variation of #2. Instead of legacy VPN, all corpnet services are published through modern security approaches (like Zscaler and Microsoft Entra Global Secure Access)
Pros and Cons of VPN Options
The following table summarizes the pros and cons of each VPN option from a network speed, reliability, high availability and security perspective.
VPN Option | Pros | Cons |
VPN Forced Tunnel | 1.ย ย ย ย ย ย Simple and consistent configuration 2.ย ย ย ย ย ย Centralised network and security policies 3.ย ย ย ย ย ย Full visibility and control of traffic | 1.ย ย ย ย ย ย High bandwidth consumption and cost 2.ย ย ย ย ย ย Poor user experience and productivity 3.ย ย ย ย ย ย Low scalability and resilience 4.ย ย ย ย ย ย Ongoing maintenance, hardware upgrades and management |
VPN Forced Tunnel with few exceptions | 1.ย ย ย ย ย ย Reduced bandwidth consumption and cost 2.ย ย ย ย ย ย Improved user experience and productivity for exempt scenarios 3.ย ย ย ย ย ย Centralised network and security policies for most traffic 4.ย ย ย ย ย ย Full visibility and control of most traffic | 1.ย ย ย ย ย ย Complex and inconsistent configuration 2.ย ย ย ย ย ย Poor user experience and productivity for non-exempt scenarios 3.ย ย ย ย ย ย Low scalability and resilience for non-exempt scenarios 4.ย ย ย ย ย ย Potential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services) 5.ย ย ย ย ย ย Ongoing maintenance, hardware upgrades and management |
VPN Forced Tunnel with broad exceptions | 1.ย ย ย ย ย ย Significantly reduced bandwidth consumption and cost 2.ย ย ย ย ย ย Significantly improved user experience and productivity for exempt scenarios 3.ย ย ย ย ย ย Centralized network and security policies for most traffic 4.ย ย ย ย ย ย Full visibility and control of most traffic | 1.ย ย ย ย ย ย Very complex and inconsistent configuration 2.ย ย ย ย ย ย Poor user experience and productivity for non-exempt scenarios 3.ย ย ย ย ย ย Low scalability and resilience for non-exempt scenarios 4.ย ย ย ย ย ย Potential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services) 5.ย ย ย ย ย ย Ongoing maintenance, hardware upgrades and management |
VPN Selective Tunnel | 1.ย ย ย ย ย ย Minimal bandwidth consumption and cost 2.ย ย ย ย ย ย Optimal user experience and productivity for all scenarios 3.ย ย ย ย ย ย High scalability and resilience for all scenarios 4.ย ย ย ย ย ย Centralized network and security policies for corpnet-based services 5.ย ย ย ย ย ย Full visibility and control of corpnet-based services | 1.ย ย ย ย ย ย Complex and inconsistent configuration 2.ย ย ย ย ย ย Lack of network and security policies for Internet-based services 3.ย ย ย ย ย ย Lack of visibility and control of Internet-based services 4.ย ย ย ย ย ย Potential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services) 5.ย ย ย ย ย ย Ongoing maintenance, hardware upgrades and management |
No VPN | 1.ย ย ย ย ย ย No bandwidth consumption and cost for VPN 2.ย ย ย ย ย ย Optimal user experience and productivity for all scenarios 3.ย ย ย ย ย ย High scalability and resilience for all scenarios 4.ย ย ย ย ย ย Modern and consistent security policies for all services 5.ย ย ย ย ย ย Full visibility and control of all services | 1.ย ย ย ย ย ย Requires SASE solutions and integration 2.ย ย ย ย ย ย Requires identity and device management 3.ย ย ย ย ย ย Requires cloud and network optimization |
Recommendation
Based on the comparison of the VPN options, the recommendation is to use either the VPN Selective Tunnel option or the No VPN option, depending on the availability and feasibility of the SASE solutions and integration. Both options offer the best network speed, reliability, high availability and security for accessing corporate resources and services.
The VPN Selective Tunnel option is suitable for organisations that have a mix of corpnet-based and Internet-based services, and that want to reduce the VPN bandwidth consumption and cost, and improve the user experience and productivity, while maintaining the network and security policies for the corpnet-based services. However, this option also requires complex and inconsistent configuration, and lacks network and security policies for the Internet-based services (such as Microsoft 365).
The No VPN option is suitable for organisations that have mostly Internet-based services, and that want to eliminate the VPN bandwidth consumption and cost, and optimize the user experience and productivity, while applying modern and consistent security policies for all services. This option also provides full visibility and control of all services, and leverages the features of the SASE solutions, such as zScaler, Entra Global Secure Access (GSA), FortiGate FortiSASE . However, this option also requires SASE solutions and integration, identity and device management, and cloud and network optimisation.
Some of the features of the SASE solutions that improve the security posture over a traditional VPN are:
- Tenant restriction option (Feature of Microsoft Entra): This feature allows the organisation to restrict the access to its cloud services only to the authorized devices and users, and prevent the access from any unauthorized or compromised devices or users.
- Conditional Access (Feature of Microsoft Entra): This feature allows the organisation to enforce granular and dynamic policies based on the context of the user, device, location, application, and data, and grant or deny the access accordingly.
- Continuous Access Evaluation (Feature of Microsoft Entra): This feature allows the organisation to monitor and evaluate the security posture of the user and device continuously, and adjust the access level or revoke the access if any changes or anomalies are detected.
- Support for multi-platform: This feature allows the organisation to support and secure the access from any device and platform, such as Windows, Android, Mac, Linux, iOS, etc.
Useful reference materials:
- What is Global Secure Access? – Global Secure Access | Microsoft Learn
- Learn about the Global Secure Access clients for Microsoft Entra Private Access and Microsoft Entra Internet Access – Global Secure Access | Microsoft Learn
- Zscaler Internet Access | AI-Powered Security Service Edge
- SASE Solution – Secure Access Service Edge | Fortinet
- Pulse Secure: Secure Access Made Easy | Ivanti
Final Note: Microsoft Entra Global Secure Access is a fairly new service and some of its features are still in preview, which means as of writing they are not yet fully functional. However, the technology is built on services that are well-established and widely used, such as Application Proxy, Conditional Access and Continuous Access Evaluation. It might be a good idea to evaluate the use of both VPN selective Tunnelling and Entra GSA together. Entra GSA could be applied to Microsoft 365 traffic. Traffic for Microsoft would go directly from the local internet breakout and be secured by Entra GSA.