A comparison of five VPN options and their network and security implications

Introduction

Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a public network, such as the Internet, to access corporate resources and services. VPN is widely used by remote workers and mobile users who need to connect to their organisation’s network and applications. However, VPN also has some limitations and challenges, such as performance degradation, bandwidth consumption, complexity, and security risks.

Secure Access Service Edge (SASE) is a new concept that combines network and security functions into a unified cloud-based service. SASE aims to provide secure and fast access to any application, anywhere, and on any device. SASE solutions, such as zScaler and Entra global secure gateway, leverage modern security approaches, such as zero trust network access (ZTNA), cloud access security broker (CASB), and software-defined perimeter (SDP), to protect the data and identity of the users and devices.

The purpose of the next sections is to assess broadly how a VPN and SASE can access corporate resources and services (Cloud and non-cloud based). It will contrast the five main VPN options and their advantages and disadvantages from a network speed, reliability, high availability and security point of view. It will also suggest a VPN option or a No VPN option that uses modern security methods and functions.

VPN Options

There are five main VPN options that can be used to access corporate resources and services. They are:

VPN Forced Tunnel: 100% of traffic goes into VPN appliance, including on-premise, Internet, and all SaaS/M365
VPN Forced Tunnel with few exceptions: VPN tunnel is used by default (default route points to VPN), with few, most important exempt scenarios that are allowed to go direct
VPN Forced Tunnel with broad exceptions: VPN tunnel is used by default (default route points to VPN), with broad exceptions that are allowed to go direct (such as all Microsoft 365, All Salesforce, All Zoom)
VPN Selective Tunnel: VPN tunnel is used only for corpnet-based services (typically on-premise). Default route (Internet and all Internet-based services) goes direct.
No VPN: A variation of #2. Instead of legacy VPN, all corpnet services are published through modern security approaches (like Zscaler and Microsoft Entra Global Secure Access)

Pros and Cons of VPN Options

The following table summarizes the pros and cons of each VPN option from a network speed, reliability, high availability and security perspective.

VPN Option	Pros	Cons
VPN Forced Tunnel	Simple and consistent configurationCentralised network and security policiesFull visibility and control of traffic	High bandwidth consumption and costPoor user experience and productivityLow scalability and resilienceOngoing maintenance, hardware upgrades and management
VPN Forced Tunnel with few exceptions	Reduced bandwidth consumption and costImproved user experience and productivity for exempt scenariosCentralised network and security policies for most trafficFull visibility and control of most traffic	Complex and inconsistent configurationPoor user experience and productivity for non-exempt scenariosLow scalability and resilience for non-exempt scenariosPotential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services)Ongoing maintenance, hardware upgrades and management
VPN Forced Tunnel with broad exceptions	Significantly reduced bandwidth consumption and costSignificantly improved user experience and productivity for exempt scenariosCentralized network and security policies for most trafficFull visibility and control of most traffic	Very complex and inconsistent configurationPoor user experience and productivity for non-exempt scenariosLow scalability and resilience for non-exempt scenariosPotential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services)Ongoing maintenance, hardware upgrades and management
VPN Selective Tunnel	Minimal bandwidth consumption and costOptimal user experience and productivity for all scenariosHigh scalability and resilience for all scenariosCentralized network and security policies for corpnet-based servicesFull visibility and control of corpnet-based services	Complex and inconsistent configurationLack of network and security policies for Internet-based servicesLack of visibility and control of Internet-based servicesPotential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services)Ongoing maintenance, hardware upgrades and management
No VPN	No bandwidth consumption and cost for VPNOptimal user experience and productivity for all scenariosHigh scalability and resilience for all scenariosModern and consistent security policies for all servicesFull visibility and control of all services	Requires SASE solutions and integrationRequires identity and device managementRequires cloud and network optimization

Recommendation

Based on the comparison of the VPN options, the recommendation is to use either the VPN Selective Tunnel option or the No VPN option, depending on the availability and feasibility of the SASE solutions and integration. Both options offer the best network speed, reliability, high availability and security for accessing corporate resources and services.

The VPN Selective Tunnel option is suitable for organisations that have a mix of corpnet-based and Internet-based services, and that want to reduce the VPN bandwidth consumption and cost, and improve the user experience and productivity, while maintaining the network and security policies for the corpnet-based services. However, this option also requires complex and inconsistent configuration, and lacks network and security policies for the Internet-based services (such as Microsoft 365).

The No VPN option is suitable for organisations that have mostly Internet-based services, and that want to eliminate the VPN bandwidth consumption and cost, and optimize the user experience and productivity, while applying modern and consistent security policies for all services. This option also provides full visibility and control of all services, and leverages the features of the SASE solutions, such as zScaler, Entra Global Secure Access (GSA), FortiGate FortiSASE . However, this option also requires SASE solutions and integration, identity and device management, and cloud and network optimisation.

Some of the features of the SASE solutions that improve the security posture over a traditional VPN are:

Tenant restriction option (Feature of Microsoft Entra): This feature allows the organisation to restrict the access to its cloud services only to the authorized devices and users, and prevent the access from any unauthorized or compromised devices or users.
Conditional Access (Feature of Microsoft Entra): This feature allows the organisation to enforce granular and dynamic policies based on the context of the user, device, location, application, and data, and grant or deny the access accordingly.
Continuous Access Evaluation (Feature of Microsoft Entra): This feature allows the organisation to monitor and evaluate the security posture of the user and device continuously, and adjust the access level or revoke the access if any changes or anomalies are detected.
Support for multi-platform: This feature allows the organisation to support and secure the access from any device and platform, such as Windows, Android, Mac, Linux, iOS, etc.

Useful reference materials:

Final Note: Microsoft Entra Global Secure Access is a fairly new service and some of its features are still in preview, which means as of writing that are not yet fully functional. However, the technology is built on services that are well-established and widely used, such as Application Proxy, Conditional Access and Continuous Access Evaluation. It might be a good idea to evaluate the use of both VPN selective Tunnelling and Entra GSA together. Entra GSA could be applied to Microsoft 365 traffic. Traffic for Microsoft would go directly from the local internet breakout and be secured by Entra GSA.