01256 976 650 info@elysianit.com

Events & Webinars - IT Insights

Becoming a better version of yourself with our support

Microsoft Solution Partner

Evaluating VPN and SASE Options for Secure and Reliable Access

Introduction

Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a public network, such as the Internet, to access corporate resources and services. VPN is widely used by remote workers and mobile users who need to connect to their organisation’s network and applications. However, VPN also has some limitations and challenges, such as performance degradation, bandwidth consumption, complexity, and security risks.

Secure Access Service Edge (SASE) is a new concept that combines network and security functions into a unified cloud-based service. SASE aims to provide secure and fast access to any application, anywhere, and on any device. SASE solutions, such as zScaler and Entra global secure gateway, leverage modern security approaches, such as zero trust network access (ZTNA), cloud access security broker (CASB), and software-defined perimeter (SDP), to protect the data and identity of the users and devices.

The purpose of the next sections is to assess broadly how a VPN and SASE can access corporate resources and services (Cloud and non-cloud based). It will contrast the five main VPN options and their advantages and disadvantages from a network speed, reliability, high availability and security point of view. It will also suggest a VPN option or a No VPN option that uses modern security methods and functions.

VPN Options

There are five main VPN options that can be used to access corporate resources and services. They are:

  • VPN Forced Tunnel: 100% of traffic goes into VPN appliance, including on-premise, Internet, and all SaaS/M365
  • VPN Forced Tunnel with few exceptions: VPN tunnel is used by default (default route points to VPN), with few, most important exempt scenarios that are allowed to go direct
  • VPN Forced Tunnel with broad exceptions: VPN tunnel is used by default (default route points to VPN), with broad exceptions that are allowed to go direct (such as all Microsoft 365, All Salesforce, All Zoom)
  • VPN Selective Tunnel: VPN tunnel is used only for corpnet-based services (typically on-premise). Default route (Internet and all Internet-based services) goes direct.
  • No VPN: A variation of #2. Instead of legacy VPN, all corpnet services are published through modern security approaches (like Zscaler and Microsoft Entra Global Secure Access)

Pros and Cons of VPN Options

The following table summarizes the pros and cons of each VPN option from a network speed, reliability, high availability and security perspective.

VPN Option

Pros

Cons

VPN Forced Tunnel

1.       Simple and consistent configuration

2.       Centralised network and security policies

3.       Full visibility and control of traffic

1.       High bandwidth consumption and cost

2.       Poor user experience and productivity

3.       Low scalability and resilience

4.       Ongoing maintenance, hardware upgrades and management

VPN Forced Tunnel with few exceptions

1.       Reduced bandwidth consumption and cost

2.       Improved user experience and productivity for exempt scenarios

3.       Centralised network and security policies for most traffic

4.       Full visibility and control of most traffic

1.       Complex and inconsistent configuration

2.       Poor user experience and productivity for non-exempt scenarios

3.       Low scalability and resilience for non-exempt scenarios

4.       Potential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services)

5.       Ongoing maintenance, hardware upgrades and management

VPN Forced Tunnel with broad exceptions

1.       Significantly reduced bandwidth consumption and cost

2.       Significantly improved user experience and productivity for exempt scenarios

3.       Centralized network and security policies for most traffic

4.       Full visibility and control of most traffic

1.       Very complex and inconsistent configuration

2.       Poor user experience and productivity for non-exempt scenarios

3.       Low scalability and resilience for non-exempt scenarios

4.       Potential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services)

5.       Ongoing maintenance, hardware upgrades and management

VPN Selective Tunnel

1.       Minimal bandwidth consumption and cost

2.       Optimal user experience and productivity for all scenarios

3.       High scalability and resilience for all scenarios

4.       Centralized network and security policies for corpnet-based services

5.       Full visibility and control of corpnet-based services

1.       Complex and inconsistent configuration

2.       Lack of network and security policies for Internet-based services

3.       Lack of visibility and control of Internet-based services

4.       Potential security risks due to VPN bypass or compromise (unless a cloud solution is used to protect SaaS Services)

5.       Ongoing maintenance, hardware upgrades and management

No VPN

1.       No bandwidth consumption and cost for VPN

2.       Optimal user experience and productivity for all scenarios

3.       High scalability and resilience for all scenarios

4.       Modern and consistent security policies for all services

5.       Full visibility and control of all services

1.       Requires SASE solutions and integration

2.       Requires identity and device management

3.       Requires cloud and network optimization

Recommendation

Based on the comparison of the VPN options, the recommendation is to use either the VPN Selective Tunnel option or the No VPN option, depending on the availability and feasibility of the SASE solutions and integration. Both options offer the best network speed, reliability, high availability and security for accessing corporate resources and services.

The VPN Selective Tunnel option is suitable for organisations that have a mix of corpnet-based and Internet-based services, and that want to reduce the VPN bandwidth consumption and cost, and improve the user experience and productivity, while maintaining the network and security policies for the corpnet-based services. However, this option also requires complex and inconsistent configuration, and lacks network and security policies for the Internet-based services (such as Microsoft 365).

The No VPN option is suitable for organisations that have mostly Internet-based services, and that want to eliminate the VPN bandwidth consumption and cost, and optimize the user experience and productivity, while applying modern and consistent security policies for all services. This option also provides full visibility and control of all services, and leverages the features of the SASE solutions, such as zScaler, Entra Global Secure Access (GSA), FortiGate FortiSASE . However, this option also requires SASE solutions and integration, identity and device management, and cloud and network optimisation.

Some of the features of the SASE solutions that improve the security posture over a traditional VPN are:

  • Tenant restriction option (Feature of Microsoft Entra): This feature allows the organisation to restrict the access to its cloud services only to the authorized devices and users, and prevent the access from any unauthorized or compromised devices or users.
  • Conditional Access (Feature of Microsoft Entra): This feature allows the organisation to enforce granular and dynamic policies based on the context of the user, device, location, application, and data, and grant or deny the access accordingly.
  • Continuous Access Evaluation (Feature of Microsoft Entra): This feature allows the organisation to monitor and evaluate the security posture of the user and device continuously, and adjust the access level or revoke the access if any changes or anomalies are detected.
  • Support for multi-platform: This feature allows the organisation to support and secure the access from any device and platform, such as Windows, Android, Mac, Linux, iOS, etc.

Useful reference materials:

  1. What is Global Secure Access? – Global Secure Access | Microsoft Learn
  2. Learn about the Global Secure Access clients for Microsoft Entra Private Access and Microsoft Entra Internet Access – Global Secure Access | Microsoft Learn
  3. Zscaler Internet Access | AI-Powered Security Service Edge
  4. SASE Solution – Secure Access Service Edge | Fortinet
  5. Pulse Secure: Secure Access Made Easy | Ivanti

 

Final Note: Microsoft Entra Global Secure Access is a fairly new service and some of its features are still in preview, which means as of writing they are not yet fully functional. However, the technology is built on services that are well-established and widely used, such as Application Proxy, Conditional Access and Continuous Access Evaluation. It might be a good idea to evaluate the use of both VPN selective Tunnelling and Entra GSA together. Entra GSA could be applied to Microsoft 365 traffic. Traffic for Microsoft would go directly from the local internet breakout and be secured by Entra GSA.

w

Talk with an expert

Having a certified Microsoft Solutions Partner by your side who has “been there, done that” many times before can help ensure you don’t fall into any security pitfalls.

If you need to understand your organisations’ cyber-security exposure, book our free IT Security & Governance workshop. It will help you understand your cyber-security challenges and presents the solutions and options available, to keep you secure.

Book your free exploratory cyber security workshop

Intelligent Security

IT Security & Compliance
Enterprise Mobility + Security (EMS)
Endpoint Management (InTune)
Security Operations Center
(Azzure Sentinal)
Microsoft Defender (XDR)
Managed Security Service (SECaaS)

Book your free exploratory cyber security workshop

ElysianIT
Microsoft Solutions Partner

Upper Farm,
Wootton St. Lawrence,
Basingstoke,
Hampshire,
RG23 8PE