We've come a long way in just a few posts from learning about the TCP/IP Stack to cloud networking constructs in the last post. Building on all of this knowledge, let's now take a look at how network security has evolved as the world has gone more distributed. In this post we'll explore modern approaches to remote access, what capabilities modern network security solutions provide, what the buzzword phrase "zero trust" is all about, and how identity's role in network controls has taken center stage.

Although there have been some recent pushes to return to office, we live in a very distributed world. Salespeople might need to connect with different enterprise services while they're on the road, and many companies have adopted hybrid work policies where their employees can work from home.

Historically we've relied on remote access VPNs to help tackle this issue. We briefly covered this functionality in part 4 of the series. As a reminder, a client VPN builds a tunnel across the internet to a termination point which typically resides in a data center. The client device (usually a laptop) is assigned an IP address from a pool (using subnetting techniques we've previously discussed) reserved for VPN users. It then interacts with other devices on the network as if it were also at one of the sites (as shown below from an overview of the technology by Palo Alto). If the network uses the 10.0.0.0/8 like our previous examples, the VPN will provide an address subnet-ed from that range.

VPN diagram

In a "full tunnel" configuration, VPNs will send all network traffic across the tunnel rather than using the local internet provider as an ingress point for users working from home. If a user is geographically far away from the termination point, this can cause a significant impact to performance. Packets can't break the laws of physics. In a "split tunnel" configuration where some traffic uses the local internet connection instead, security teams will lose visibility of the traffic not sent down the tunnel, which can increase the complexity of responding to an incident.

The management overhead of a remote access VPN approach at scale can be significant as well if there are requirements to logically separate different populations of users. This would mean creating more pools of addresses and managing which users are assigned to which pools. Firewall rules for VPNs typically leverage IP address range as a proxy for grouping users who should have the same level of access together. This may also increase complexity for the user as they may need multiple profiles to connect to all their required systems.

Cloud services only added to the complexity. While users may still back-haul to their data centers, more and more services are being modernized into SaaS or IaaS offerings and being removed. Therefore the "data gravity" was leaving the data center and become much more distributed. This led network security vendors to reconsider their approaches to tackling the problem.

Learning from the success of the cloud, services previously provided by physical devices became virtualized. Rather than connecting to a data center owned by your company, your VPN client could connect to a closer termination point and use that provider's private network connections to route where needed. Another way to think about this connectivity model in an inverted Content Distribution Network (CDN), where the remote users find their closet point of presence and use that to communicate. Many vendors add additional services once the traffic is sent through their network. For example, Zscaler, a popular vendor in the space provides numerous connectivity points across the globe as shown here and offers a number of different capabilities. Other vendors in the space include Palo Alto Networks, Netskope, and Cato Networks.

The combined stack of capabilities has the industry acronym of SASE, or Secure Access Service Edge. This term emerged after a number of point solutions tackled different pieces of the puzzle. The stack includes the following:

  • Secure Web Gateway: inspecting outbound internet traffic for threats and violation of policies
  • Cloud Access Security Broker: Inspect cloud service (typically SaaS focused) bound requests for improper data usage and identify "shadow IT" usage of unsanctioned services
  • Firewall-as-a-service FWaaS: scalable firewall services including threat detection and other advanced capabilities (ex: intrusion detection system) beyond IP address-based rules
  • Sofware Defined Wide Area Network (SD-WAN): As the variety of connection types (MPLS, Cloud connections (ex: Direct Connect/Express Route), Direct Internet Access) that exist between sites increases, this technology helps manage connectivity amongst the different links.
  • Zero Trust Network Access (ZTNA): Uses authentication and authorization based on a user's identity, groups, and attributes about the connection to verify if a request should be allowed to be sent to the target application. This also holds true on the corporate network, where trust is not given to another device just because it is on the same 10.x.x.x network.

The image below (credit to Aruba Networks) captures the transformation from data center centric to having the data center to just being another site like an office or branch. The outer circle in the "now" section provides the various services discussed above as users and services communicate with each other across cloud and on-premise networks.

DC centric vs SASE

While the exact implementations by the vendors may vary, this model allows for efficient processing of internet and/or cloud service bound traffic to be processed at the edge, while allowing for necessary connections to reach back into the data center. However, these systems have the ability to do host posture validation to ensure an endpoint security software is running on a laptop. Posture validation might also include validating if disk encryption is enabled, or a certain OS patch level is reached. These systems also use identity-based rules to limit who can access which systems. For example, you might want to limit only the human resources organization to be able to access the payroll system's management interface hosted in the data center or a particular SaaS application. This identity-based approach help avoids the complexity above for traditional remote access VPNS.

The shift to the above model can take time, especially if there was limited network segmentation and more of a "castle and moat" (high levels of trust once on the private network) posture within a corporate network previously. Moving too quickly from an allow all by default to a deny all by default (with explicit allows) would likely break a business.

Similar to the benefit to endpoints, the SD-WAN component can help process internet bound traffic from remote sites more efficiently at the edge rather than relying on the data center(s) to process all that traffic. This helps match the more distributed shape we find modern networking taking.

Conclusion

As we wrap up our exploration of network security evolution, here are the essential points to remember:

  • Remote Access Has Evolved Beyond Traditional VPNs - While VPNs served us well for years, they were designed for a centralized world where resources primarily lived in corporate data centers.
  • Data Gravity Has Shifted - With the proliferation of SaaS and IaaS offerings, our resources are now distributed across multiple environments, necessitating new security approaches.
  • SASE Provides a Comprehensive Solution - The Secure Access Service Edge framework combines multiple capabilities (SWG, CASB, FWaaS, SD-WAN, ZTNA) to address the challenges of securing a distributed workforce accessing distributed resources.
  • Identity Has Replaced IP - Modern security approaches use identity attributes rather than network location to determine access privileges, reducing management complexity and improving security posture.
  • Edge Processing Improves Performance - By processing traffic at distributed points of presence rather than backhauling everything to central data centers, modern solutions provide better user experiences.
  • Zero Trust Is More Than a Buzzword - The principle of "trust but verify" applies not just to remote access but also to internal networks, addressing the limitations of traditional "castle and moat" security models.
  • Posture Assessment Adds Context - Beyond just who you are, modern solutions consider the security state of your device when making access decisions, adding an important layer of protection and real time adjustments.
  • Transition Requires Planning - Moving from traditional perimeter-based security to a zero-trust model involves careful implementation to avoid disrupting business operations.

As networks continue to evolve with containerization, microservices, and increasingly distributed architectures, these modern security approaches will continue to adapt. The future likely holds even tighter integration between identity, network controls, and application security—further blurring the lines between traditional security domains.