Confessions of a Network Engineer – Remote Access VPNs

In 2001, I joined a global retailer based in the Pacific Northwest as a network engineer. My first task was to build out a remote access VPN. At the time, after considering the options available, I decided on a simple system built around a Microsoft RRAS server (remember those?). Little did I know that the system I deployed that day would last for 15 years until Apple decided to drop support for PPTP and force the company to finally modernize its remote access infrastructure.

2020 was a wake-up call for enterprise IT. Remote access became required technology for companies to access IT resources. Network engineers scrambled to cobble together systems to provide connectivity and meet the demand to keep the company afloat. While some moved to modern cloud-delivered zero-trust-based solutions, others doubled down on what they had; legacy appliance-based technology.

Confession: Goals of Network Engineers

Connectivity is about moving data from one point to another, quickly. This is the goal of every network engineer; move packets quickly and efficiently. The concern for security is secondary, just as it is for developers. Please understand I am not singling out my colleagues; there is plenty of blame to go around. My point is once the packet enters the “trusted” side of the network, security is not a primary concern. This brings me to confession number one. In my days as a network engineer, I built plenty of trusted remote access VPNs. Little did I know what I built could easily be exploited by a bad actor (both insider and outsider threats). Honestly, I trusted the system. This is where I was wrong. To quote John Kindervag, regarded as one of the fathers of the zero-trust movement, “Why do we endow a computer with a human trait? It’s a device made of sand and rare metals which only understands ones and zeros.” He is 100% right. In my day as a network engineer, I built tools that made the job of the bad actor(s) easier. Going forward, we must build solutions based on the premise of zero-trust: Trust no one; always verify.

Confession: I Love Hardware

Honestly, every time a networking company announces a new hardware product, I get goosebumps. I want to know how fast it will process packets, how much power it consumes and, as well, how it feels. If I were at an IT conference, I’d quickly make my way to the vendor’s booth. Is the new device there? Confession two. I now realize that hardware suppresses innovation. A specialized remote access VPN device wrapped in a sheet metal box is a single-purpose device with limited functionality. Its designated role is to do one job. While there may be updates to the system, they are minor feature additions. The life cycle of the device is between three to five years depending on the depreciation schedule set by a vendor’s finance department. Contrast this with software-based solutions. Software is not limited by bespoke hardware, is not single-purpose and can be upgraded quickly. Release cycles for software-based platforms can come monthly and the new features can be major releases. Consider how fast the major public cloud providers evolve their networking solutions versus the hardware providers. Or the impact of SDN and SD-WAN solutions on the networking industry. The future is about software, not hardware.

Confession: I Never Considered Networking’s Impact on the Environment

I’ve always enjoyed the outdoors and worked at several companies which connected their reason for existence to the planet. Confession three. The hardware appliances I love have a big impact on the planet. If you consider the classic hardware-based remote access device-chaining designs used by Fortune 200 companies, they include several firewalls, SSL terminations devices, load balancers, IDS devices, authentication servers along with data center-class switches located in multiple data centers. What is the environmental impact? I ran the power budget for a standard design; the numbers were startling. Per data center, the power budget of 6,000 watts creates 146 kW/h per day or 53,155.68 kW/h per year. But what is the total carbon impact? I used the free greenhouse gas equivalent calculator provided by the EPA and found that 53,155.68 kW/h per year is equivalent to 25.5 tons of CO2 per data center! That is equivalent to 27 acres of U.S. forests per year. If the company has five global data centers, that is roughly 15% of New York City’s Central Park per year. This is significant. Contrast this with an option from AWS which uses green power and carbon offsets.

Now that I have unburdened myself by confessing my past sins, what should you take away from this?

  1. The future is about not implicitly trusting devices that are not human. Just because a device is on the trusted side of the firewall doesn’t mean we should trust it. There is no magic force field on the trusted port of a security device. Zero-trust is the path we must take as network engineers going forward. Application access must be about the device and the application, that is it. No more, no less.
  2. Hardware devices limit innovation. The industry transition to software accelerates digital transformation. We cannot move forward based on a hardware device that is single-purpose and upgraded on a financial schedule. It is time to unleash the power of software delivered from the cloud to move beyond legacy sheet metal boxes.
  3. Going green with improved security and innovation is the path forward. Had a green data center—along with a zero-trust, cloud-delivered software solution been an option when I deployed my remote access solution, I could have saved myself and the company I worked for from security breaches, provided them with a constantly improving platform while making the planet we live on a better place.

Thank you for hearing my confessions! I hope you learn something from my past mistakes.

 

Avatar photo

John Spiegel

John Spiegel, Director of Strategy, Axis Security John Spiegel has 25 years of experience running global networks and managing infrastructure. He is an industry pioneer in software defined networking (SDN) and software defined WANs (SD-WAN). John has spoken on the topic network transformation at industry conferences such as Gartner, InterOp, VMWorld, Palo Alto Networks Ignite as well as executive roundtable discussions. He has also been a customer advisor to companies like VMware, Palo Alto Networks and Cisco Systems. Disruptive startups have also leveraged John’s knowledge to bring products to market resulting in successful exits. When not helping companies on their journey to modernize and secure their networks, John can be found cycling on the backroads of Oregon.

john-spiegel has 2 posts and counting.See all posts by john-spiegel