VPNs in addition to SASE

The advent of OpenVPN and WireGuard protocols allows VPNs to maintain their connectivity in the face of secure services with SASE (Secure Access Service Edge) access points and zero-trust network access.

The Covid-19 pandemic has accelerated the development of more suitable and safer solutions to serve the needs of remote workers. They also encourage us to wonder about the interest of VPNs. Recently, the addition of protocol options has improved their functionality beyond what VPNs were originally capable of. At the same time, security architectures – Zero Trust Network Access (ZTNA), Secure Access Service Edge (SASE), and Security Service Edge (SSE) – have come to encroach on the remote access function of VPNs.

vpn vs. ZTNA

The main advantage of ZTNA (Zero Trust Network Access) is that it imposes authentication on every user and every device that wants to access the network. Instead of granting a group privileged access, ZTNA allows you to choose who can connect and when. In fact, zero trust assumes that threats can come from inside and outside the corporate network. Although some companies have completely abandoned IPsec VPNs in favor of more comprehensive networks based on zero trust, they still need other protections, such as encrypting employees ’smartphones to prevent them. to be tracked and hacked while on the move. .

According to Cloudflare, there are three features that differentiate ZTNA and VPN:

1- OSl layers: IPsec VPNs work on the Layer 3 network layer, while ZTNA – and by extension SSE and SASE – primarily work on Layers 4 through 7 through gateways, using web -based protocols such as TLS. This means that ZTNA provides more comprehensive protection, especially when it comes to protecting specific apps and devices. However, Layer 3 protection is useful for blocking the wider movement of malware and for network segmentation for specific categories of users.

2 – Hardware and software on the site: Most corporate VPNs require their own on -premises servers, where endpoints connect via client software to each device. This means that the server is potentially a point of failure and traffic to and from cloud resources must pass through the corporate data center where the server is hosted, which increases latency. ZTNA has a lighter footprint and its implementation typically relies on cloud-based resources. It can work with or without endpoint-specific software agents, but if agents are used, they can increase the CPU load on the endpoint.

3 – Granular control: The goal of most VPNs is to secure an entire network by providing a protected tunnel through which remote machines can access it. In theory, the idea is good, but it’s less practical, because attackers can, from an infected endpoint, carry out malware attacks across the network. ZTNA is more accurate, as it limits both network access and application access. It can therefore apply granular policies and allow a particular user access to a particular device at a particular time for a particular application. This adaptive and more flexible security has significant advantages over unmanaged devices, such as BYOD, or IoT devices that do not have client software to secure them. ZTNA can also be used to integrate various security management tools. For example, Palo Alto Networks ’Prism Access uses ZTNA to integrate its firewalls, Cloud Access Security Broker (CASB) and SD-WAN tools.

Despite these differences, VPN and ZTNA can work together in some situations. For example, one can use a VPN to connect to a remote office or if users need to connect to on -premises file servers. VPNs are worth considering, for two reasons. First, VPN and ZTNA can complement each other and produce a more comprehensive security envelope, especially since a large number of workers are still working remotely. Importantly, the VPN protocol environment has improved drastically over the past 15 or 20 years. IPsec has been largely replaced by Internet Key Exchange version 2 (IKEv2), a tunneling protocol supported by Windows, macOS, and iOS. It also includes Network Address Transversal (NAT), which allows faster tunnel connectivity for mobile devices as they roam, uses AES and Blowfish for better encryption, and authentication based on a certificate to prevent man-in-the-middle attacks. IKEv2 is also supported by many enterprise VPNs such as SSL AnyConnect from Cisco and VPN products from Juniper.

There are also two recent VPN protocols: Wireguard and OpenVPN. Both carry other partially open-source services, including a network of servers, endpoint clients, and the protocols themselves.


Adopted by major VPN providers including Windscribe, Hotspot Shield, NordVPN, and ExpressVPN, the OpenVPN protocol supports Windows, MacOS, iOS, Android, and Linux clients. This protocol is interesting for enterprise users, because, as open source, the code and its various implementations are thoroughly analyzed. Moreover, thanks to the OpenVPN Cloud developed by the project, an on-site VPN server is not required, as one can connect to it as a managed service. A free tier allows for three simultaneous connections, and monthly subscriptions start at $ 7.50 excluding VAT per month per endpoint connection for at least 10 connections. This price drops to a few dollars per month for over 50 connections. OpenVPN Server software is also available at similar prices for self-hosted setups. In addition to its VPN, the project also includes CyberShield, a service that encrypts DNS traffic, which is useful for preventing DoS and man-in-the-middle attacks. OpenVPN works on both TCP and UDP ports, which increases its flexibility. This means that connections via OpenVPN can become more resilient when country-sponsored actors try to publicly block remote access ports. One issue is that most local OpenVPN servers are in the northern hemisphere, so users connecting from other locations will experience longer latency. Major service providers such as ExpressVPN and NordVPN have a larger worldwide presence.


WireGuard is also an open source project, and like IKEv2, it is designed for fast reconnection, which enhances reliability. Like OpenVPN, it includes a full range of services, including Windows, MacOS, iOS, Android, and Linux clients, and is supported by major VPN providers, including Mullvad, ProtonVPN, Surfshark, NordVPN and Private Internet. Access. Its proponents say that because of its lightweight architecture, it can surpass other VPN protocols and be easily implemented in container collections. It’s free and works on any UDP port. Its authors have published very clear instructions on its security limitations, particularly the lack of traffic obfuscation and the fact that the protocol is still under development. With WireGuard or OpenVPN, businesses have more options and flexibility to evaluate the remote protocols they use. WireGuard is attractive for security, but its usefulness also makes it extremely compelling. For example, one can use OpenVPN’s cloud-managed to quickly increase or decrease their remote access needs, which is closer to how ZTNA-based solutions work.

OpenVPN and WireGuard for Business

The fact that OpenVPN and WireGuard have been adopted by major VPN providers may also inspire the company to take an interest. Why? First, their low overhead can reduce latencies and improve usability. Second, because they show that open source code, third-party security audits to verify their value, privacy, and other features are benefits. Enterprise VPN providers can use these strategies for competitive reasons to improve their own offerings. This does not mean, however, that companies should give up the ESS and the SASE. Businesses have all kinds of remote access needs covering a wide range of applications, bandwidth requirements, and end-user devices. Applications work on all types of infrastructure: private cloud, public cloud, container, and in -place hardware. A typical business uses multiple identifiers, authentication tools, and network configurations. Add to this mix the ability of SASE and SSE to separate browsing sessions or implement cloud access security brokers to further secure these resources. Gone are the days of all remote users connecting through a rack of gateway servers found in the data center, but the latest VPN protocols can also complement the best and non-new world of zero trust.

Leave a Comment