Originally published in Digitalisation World, our CTO shares thoughts on why its time your VPN had an SD-WAN upgrade


Back in April, the Office of National Statistics (ONS) published findings stating that 49.2% of adults employed in the UK were working from home and while there will always be sectors that can’t ‘remote in’, those who have WFH have inadvertently contributed to a wide scale experiment with some interesting results. A survey published by network analysts Global Wireless Solutions in November explained that beyond the obvious user frustrations, including the now familiar “Is it any better if you turn your video off?”, half of its respondents actually felt that their competency was being judged when internet connectivity was bad. Furthermore, 62% of those who replied had ‘issues’ accessing corporate services from home or had been one of 55% who actually admitted to questioning their colleague’s capabilities, based on factors that were more often than not completely out of their co-workers control. If that’s what your colleagues think, what’s the perception of your customers?

Lost productivity working from home

A few weeks earlier, the same publication ran a headline stating, ‘The average UK home worker is losing 30 minutes of productivity per day due to poor network connectivity.’ Sounds unlikely but when you think about it, 30 mins per day waiting to download or upload files via VPNs, waiting for a screen to catch up in a virtual desktop session, toggling your camera on and off in a “Can you hear me now?” fashion on a Teams or Zoom call and you can see where the time goes. If there are 15 people WFH over a VPN losing 2.5 hours a week each, that’s the equivalent of 37.5 hours or the entire salary of one of those team members for an average working week. There’s a business case brewing here…

At the heart of the issue is trying to use the internet as a delivery mechanism for home worker services. It’s cost effective and, in most cases already in the home which is good. Conversely it’s also very unstable due to a wide range of factors out of our control, which is not so good.

VPN’s are no longer fit for purpose

When lock down struck, some very fortunate IT sales people found themselves dealing with an influx of customers, desperately trying to find ways to keep the lights on which lead to the industry seeing a huge increase in demand for VPN capacity. The thing is, traditional VPNs aren’t really the right tool for the job anymore. Sure, they offer a better security model than doing nothing, but they are fundamentally flawed for a couple of key reasons. The first being that they are reliant on the internet as a delivery mechanism. When the internet is unstable, the user experience drops off and their productivity goes with it. “Can you hear me now?” No, we can’t.

There is however another fundamental reason that VPNs are no longer fit for purpose which really boils down to the fact that VPNs were not intended to do the things we need them to do today. Back in 1996 when a Microsoft employee (most sources suggest Gurdeep Singh-Pall) created the peer-to-peer tunnelling protocol which was the precursor to modern VPNs, it was designed to securely connect a device to another device over the internet. And here’s the root of the issue, connecting a single device (laptop) to another single device seldom represents the architecture we use in today’s service delivery world.

Back then it was pretty straight forward, build a data centre, put everything the user needs to complete their daily tasks in that data centre and only let trusted people in to this Pandora’s box, using a VPN to secure the gap between the user and the data centre over the internet delivery mechanism.

In the good old days of public speaking at real events with real people, I used to paraphrase this as all the data in the middle with the users around the outside, but take a look at how we all work today and you’ll notice something very obvious. While our traditional data centres are often still in production, many of us also have public cloud infrastructure from the likes of Azure or AWS running in parallel, either to help scale capacity in response to Covid19 or to deliver new line of business services without the need for new physical tin. While this hybrid cloud model clearly doesn’t apply to everyone, there are very few organisations that haven’t adopted the likes of Google docs, Office365, Zoom, cloud based CRMs, VoIP phone systems or other line of business applications or services. It’s a complete paradigm shift from the old model, with the user now in the centre consuming services that originate from many locations around the outside.

There are a couple of options available to connect this new cloudy world but they are typically a balance of usability and security and generally far from ideal.

Back haul users to the data centre for internet break out

While this allows corporate web access policies to be enforced, it typically takes so long for the user session to get from their laptop, across the VPN, through the data centre, up to the cloud provider and back again that the round trip time for latency sensitive services (like Teams) leaves user experience a long way short of the expectation. The problem has had such a negative impact on user experience that it resulted in Microsoft publishing its Network Connectivity Principles in November 2018, with various amendments leading to its current iteration in June 2020. If you’ve not read it, the key takeaway is use internet breakout at the branch for latency sensitive stuff. Great if you’re in a branch office with a firewall but not so great for home workers where deploying a firewall isn’t a feasible option.

Split tunnel VPN

Allow access to trusted web services direct from the device and maintain a VPN back to the corporate network sounds great in theory but can be an operational nightmare to manage, particularly with the ephemeral nature of the FQDNs that go on the white list but there’s another risk here. You’ve now got a corporate device connected via a trusted VPN to the corporate network and the internet via the home broadband router. The same router that’s connected to the wireless doorbell, smart thermostat, smart TVs and growing list of IoT devices. Does the corporate home worker access policy include ensuring all IoT devices are patched up to date? Unlikely and practically impossible to enforce.

Single point of failure

In either case, we’re still reliant on a single internet connection, so secure or otherwise, VPN user productivity is still completely dependent on that one data pipe, even if it is business grade broadband. In a branch office you can justify the cost of a backup link – DSL, FTTC, MPLS or otherwise, with the kit to manage the traffic between them. However, if we want to move beyond keeping the lights on to a credible, enterprise grade long term solution to home working, it really is time to start thinking about life beyond the traditional VPN.

Life beyond the VPN

What’s needed is a cost effective, small form factor, simple to deploy alternative that provides the same level of security as a VPN when connecting the home user back to the physical data centre. It needs to include a decent firewall so that we can breakout to the internet with corporate policy enforced, avoiding the loop of the data centre and the nightmare of managing split tunnel VPNs for latency sensitive cloud based services.

While we’re at it, it needs to hook into external DNS services so that when folks like Microsoft change FQDNs for operational purposes, the user can still reach the service without raising a support ticket and it should also allow the user to directly access virtual desktops or other services that we either consume or publish from public cloud platforms like Azure, AWS or GCP.

It should have the ability not only to bond the home broadband to other transports but have things like built in 4G/LTE support and more importantly, be able to switch between physical and mobile connectivity without the user noticing so the session remains stable, even when the broadband falls over when the schools kick out.

It should allow only trusted devices to access the corporate network and realistically, we don’t want cables from the broadband router in the lounge trailing upstairs to the spare bedroom so it needs to provide a secure corporate WiFi service in the home that the kids can’t gate-crash. It would also be handy if it had detailed analytics for user productivity and compliancy management.

Choose wisely

Choose your vendor wisely and you’ll notice that SD-WAN has come a long way from just bonding links to become an enterprise grade branch office in a box solution that provides all of the above and more. From Radiographers to call centre agents and city workers, the early adopters are already gaining productivity with a message that’s loud and clear. So long VPN, it was nice knowing you.



To find out more about Citrix SD-WAN and how it can help to deliver a better user experience when working from home, take a look at our blog – SD-WAN Home Workers Managed Service

Or to speak to one of our specialists call 0330 010 3443 or email hello@clouddnagroup.com.


Read the original post published in Digitalisation World