

Die, VPN: We're all "telecommuters" now&mdash;and IT must adjust - evo_9
http://arstechnica.com/business/consumerization-of-it/2011/10/die-vpn-were-all-telecommuters-nowand-it-must-adjust.ars

======
bschlinker
I'm not sure I see what the big issue is with VPN access.

The author complains that VPN connections choke the user's bandwidth, but I am
not sure I know many examples of this. Typically through a VPN connection I
will see higher latency to external internet point if the company does not
allow split-tunnel routing. However, decreases in the user's bandwidth only
occur if the company does not have the appropriate bandwidth available for the
number of VPN users logged in. Perhaps I am just lucky, but I've never had
this problem.

Regarding the pain of logging in, Cisco's new Cisco AnyConnect VPN
automatically re-authenticates you to the VPN session so you don't need to
keep signing in as you shift locations. Microsoft's DirectAccess allows you to
have a VPN session automatically established with no additional authentication
necessary whenever it finds a network connection available.

The author proposes cloud services? Those don't work too well for large
companies in my opinion. In fact, I don't think they work well for small
companies yet either. Google Docs just doesn't have the functionality required
and STILL lacks the idea of having centralized repositories of information. If
you want to share a document with your entire Google Apps organization, you
can "share it" but the people in your organization must know to search for it
in order to discover it. There is no way to browse "All Documents in My
Company" which creates a huge pain.

Most companies and their employees, especially Fortune 100 companies, utilize
"Network Volumes". Go into one of these company's and talk to the employees.
"Oh, that is on my U drive, and the other documents, those are in the company
wide public share on my P drive". They browse to these files seamlessly over
the VPN, edit them, and they are updated on the remote server.

VPNs also HELP ensure compliance (though they definitely don't guarantee it).
You no longer need to worry whether every single cloud service you are using
has the proper security configuration. There may be some wiggle room here, but
I know that with Active Directory Group Policies, I can really lock things
down on users through one centralized management interface. If I have 10 cloud
services, I have 10 different things I need to worry about locking down.

~~~
barrkel
The problems I've had with VPNs are probably down to misconfiguration, but the
primary one was limited bandwidth over the VPN, not limited bandwidth to the
internet. Living in Europe, but connecting to a VPN server in California,
reduced a 4Mbit connection to something closer to 64kbit - I hypothesized that
whatever corresponds to the TCP window on the VPN was configured with too low
a size, and the latency was killing stream throughput.

~~~
joshwa
Same problem, same numbers. (China -> Atlanta). Is your VPN Juniper IVE by any
chance?

~~~
barrkel
The only non-generic client is Nortel, I'm not sure what's at the other end
(but I'd guess Nortel).

------
shaggy
This reads as a very ignorant article and doesn't even come close to
addressing the issues that are faced by enterprise IT teams. As soon as you
let users bring their own devices (whatever they are) onto your corporate
network your security concerns now include those devices. Who knows what Bob
in accounting is letting his kid do with his laptop when he gets home at
night. All the sudden your entire network is compromised or infected because
using a VPN or employer provided devices is "hard".

The bandwidth argument is really not valid anymore. Just about everyone can
get broadband at home and most sensible organizations will allow split
tunneling so your non-work related traffic can go out whatever local
connection you're on.

~~~
barrkel
I think that's a problem with enterprise IT mindset, rather; this idea that
there's a binary distinction between inside and outside, trusted and
untrusted, and therefore whatever you connect to the network must be vetted
because it suddenly has all this trust by default.

I think it's pretty inevitable that the evolution will be in the direction of
distrust by default, and internal apps will slowly require more secure
programming models, incrementally becoming more like ordinary public-facing
sites. The reason is that the trust-by-default (once you're on the "inside")
model is too centralized and can't scale to the increased number of devices.
Employee devices will need hardening against intrusion from the corporate
network just as much as the network needs hardening against intrusion from Bob
from accounting; because you stop infections spreading by stopping the vectors
for transmission, and that works from both ends.

~~~
shaggy
There is a distinction of trusted and untrusted, but I wasn't implying a trust
by default method because that's not good either. I also wasn't trying to
imply that a vetted device is necessarily a trusted device. For example, we
allow Blackberry, Apple and Android devices on our network as "officially
supported" mobile devices. We don't trust them but we know if something goes
wrong we can issue a single command and wipe the device which effectively ends
all access that device had/has to our network resources.

The point is, and you hit on it, that you have to prevent intrusion,
compromise or infection from all places and allowing people to work on their
own hardware or without a VPN means that job becomes exponentially more
difficult.

------
Wilya
I'm curious about the part about no one liking dealing with VPNs. I have only
used an OpenVPN network for my private use, not any entreprise-class system,
but I don't have much to complain about. Once I got how it worked, it was
pretty painless to use.

Is it due to the policies and the way they are applied in big companies ? The
tools ?

~~~
ajross
Enterprise-class systems are far worse. If you know what you're doing, you can
tune any IP tunneling solution into something the coexists nicely with your
native network. That's not how any corporate VPN that I've seen works. They
all hijack your box, sending all traffic down the pipe to the company
firewalls and killing latency. Sometimes it's worse: they try to be smart, and
send local traffic locally, but they still try to use their own DNS servers,
thus breaking local addresses from e.g. the DHCP server at your local coffee
house.

It's just a disaster. And the problem that it's intended to solve isn't
actually solved by pretending that data "inside" the corporate network is
safe. Sane IT strategies always need authentication and encryption inside the
wall too. So why bother with the VPN?

------
taylorbuley
This doesn't strike me as very realistic. Aside from the issue of token-based
security vs. other auth mechanisms, how else are you going to establish a
secure connection to a private network aside from a VPN-like tunnel?

~~~
wmf
The point seems to be that if you move most of your IT onto the public
Internet aka cloud (with SSL + passwords) then employees don't need to access
any secure network.

------
synnik
This article really comes off as a prima donna developer, who may understand
how infrastructure works, but not why strategic decisions are made.

Security is the primary driver for VPNs, and a significant driver for IT-
controlled devices. Maintainability of the infrastructure is another large
drivers for devices. And finally, cost control of your support organization is
easier when they have a limited scope to what devices and configurations they
will support.

It isn't that his points are incorrect -- They are just pretty minor compared
to the actual business drivers of Enterprise IT.

------
biot
VPNs these days are one-click to establish and can be setup to use the same
credentials as a work machine's login. You can often have them remember your
credentials too so that there's no extra work involved, though this should be
limited to situations where employees encrypt their file systems a la
FileVault or BitLocker.

I agree that it's becoming less necessary as more and more services use
strong, end-to-end encryption. However, using a VPN reduces the attack surface
area of a network. SSL guarantees that nobody can eavesdrop on the
communication but it doesn't guarantee who you're communicating with.
Restricting access to the VPN and internal networks means that any 0-day bugs
have little impact on your security as less services need to be public-facing.

The biggest threat with telecommuters is that you leave security up to them
and who knows what trojans/rootkits lurk undetected on their machine to your
antivirus/antimalware software.

~~~
barista
> VPNs these days are one-click to establish

DirectAccess is a zero click connection where the company network and
resources are available any time you want it. I tried it for a few months and
it works like a magic.

For things like security and data protection, you always have bitlocker

------
johngalt
If BYOD and telecommuting was just held up by "security" it would've been
steamrolled a long time ago. Very few organizations take security that
seriously. Articles like these frame IT strategy about as accurately as a
courtroom drama depicts the legal process.

100% of IT decisions you'd probably disagree with are driven by responsibility
and/or costs.

------
purephase
A fairly narrow set of applications listed on the 2nd page of the article. I
think an important reason promoting the use of VPN services is not that you
are protecting yourself from your users, you are protecting yourself against
poorly written 3rd-party or in-house applications.

There are a lot of companies that are forced to use really large, complex
applications that combine a myriad of different technologies. It's one thing
to patch servers, it's another task altogether to try and maintain and update
applications that stretch across mainframes, various database and mid-tier
applications, with mixed-web/thick client access. The dependencies alone are a
nightmare to try and manage.

To me, this is the most important reason for securing remote users. I want to
protect them, and the company, from the medusas.

------
rdl
This is pretty bad advice for most companies.

It's undeniable that people are moving to Bring Your Own Device for mobile,
and that with third-party hosted cloud apps, VPNs are less meaningful.
However, in a lot of cases, you have SOME applications which aren't secure
enough to put on the Internet bare, and also having a central point for
compliance makes a lot of sense.

While it would be nice to think phones/tablets are more secure due to having
passcodes, unfortunately, Apple and Android don't actually have reasonable
device security to protect from brute force against a password. You can easily
image even a LOCKED device, then brute force it offline). Only blackberry
seems to have hardware security in place to protect against this.

------
serverascode
Also let's not forget SSL is kinda a mess. Not to say that VPNs aren't either
though. It's tough out there. :)

I'll be using sshuttle once I get our external ssh gateway up.

