Confessions of a Network Engineer – Remote Access VPNs

In 2001, I joined a global retailer in the Pacific Northwest as a network engineer.  My first task was to build out a remote access VPN.  At the time, after considering the options available, I decided on a simple system built around a Microsoft RRAS server (remember those?).  Well, little did I know, the system I deployed that day would last for 15 years until Apple decided to drop support for PPTP and forced the company to finally modernize its remote access infrastructure.  

2020 was a wakeup call for Enterprise IT.  Remote access became the required technology for companies to access IT resources.  Network engineers scrambled to cobble together systems to provide connectivity to meet the demand to keep the company afloat.  While some moved to modern cloud delivered Zero Trust based solutions, others doubled down on what they had, legacy appliance based technology.   

Confession – Network connectivity is about moving data from one point to another, quickly.  This is what the goal of every network engineer is, move packets fast and efficiently.  The concern for security is secondary.  Just as it is for developers. Please, know I am not singling out my colleagues, there is plenty of blame to go around here.  My point is once the packet enters the “trusted” side of the network, security is not a primary concern.  Which brings me to confession number one.  In my days as a network engineer, I built plenty of trusted remote access VPNs. Little did I know what I built could easily be exploited by a bad cyber actor (insider and outsider threats).  Honestly, I trusted the system.  This is where I was wrong.  To quote John Kindervag, who is regarded as one of the fathers of the Zero Trust movement, “why do we endow a computer with a human trait?  It’s a device made of sand and rare metals which only understands ones and zeros?”  He is 100% right.  In my day as a network engineer, I built tools which made the job of the bad cyber actor easier.  Going forward, we must build solutions based on the premise of trust no one, always verify. 

Confession –  I love hardware.  Honestly, every time a networking company announces a new hardware product, I get goose bumps.  I want to know how fast it will process packets, how much power it consumes and as well, how it feels.  If I was at an IT conference, I’d quickly make my way to the vendor’s booth.  Is the new device there?  Confession two.  I now realize, hardware suppresses innovation.  A specialized remote access VPN device wrapped in a sheet metal box is a single purpose device with limited functionality.  Its designated role is to do one job.  While there may be updates to the system, they are minor feature additions. The lifecycle of the device is between three to five years depending on the depreciation schedule set by a finance department.  Contrast this with software-based solutions.  Software is not limited by bespoke hardware, is not single purpose and can be upgraded quickly.  Release cycles for software based platforms can come in monthly cycles.  And the new features can be major releases.  Consider how fast the major public cloud providers evolve their networking solutions vs the hardware providers.  Or the impact of SDN and SD-WAN solutions on the networking industry.  The future is about software not hardware.  

Confession – When I started my career in networking, I never considered its impact on the environment.  I’ve always enjoyed the outdoors and worked at several companies which based their reason for existence on a connection to the planet.  Confession three.  The hardware appliances I love have an impact on the planet.  If you consider the classic hardware based remote access device chaining designs used by Fortune 200 companies, they include several firewalls, SSL terminations devices, load balancers, IDS devices, authentication servers along with data center class switches located in multiple data centers.  What is the environmental impact?  I ran the power budget for a standard design.  The numbers were startling.  Per data center, the power budget of 6,000 watts creates 146 kW/h per day or 53,155.68 kW/h per year. But what is the total carbon impact? I used the free Greenhouse Gas Equivalent calculator provided by the EPA and found that 53,155.68 kW/h per year is equivalent to 25.5 tons of Co2 per datacenter! That is equivalent to 27 acres of US forests per year.   If the company has 5 global data centers, that is roughly 15% of New York City’s Central Park, per year.  This is significant.  Contrast this with an option from AWS which uses green power and carbon offsets.  

Now that I have wrung my hands of my past sins, what should you take away from this?  

1-    The future is about not implicitly trusting devices which are not human. Just because a device is on the other side of the firewall, doesn’t mean we should trust it.  There is no magic on the trusted port of a security device.   Zero Trust is the path we must take as network engineers going forward.  Application access must be about the device and the application, that is it.  No more, no less.  

2-    Hardware devices limit innovation.  The industry transition to software accelerates digital transformation.  We cannot move forward based on a hardware device which is single purpose and upgraded on a financial schedule. It is time to unleash the power of software delivered from the cloud to move beyond  legacy sheet metal boxes. 

3-    Going green with improved security and innovation is the path forward.  Had a green data center along with a Zero Trust software cloud delivered solution been an option when I deployed my remote access solution, I could have saved myself and the company I worked for from security breaches, provided them with a constantly improving platform while making the planet we live on a better place!! 

Thank you for hearing my confessions!