Everything Old Is New Again: Remote Access Comes Full Circle

By

The shift to Zero-Trust Network Architecture is recent — but not the ideas behind it.

As an old timer who’s been in the Remote Access (RA) space since the mid-’90s, I see the current wave of evolution in SASE/SDP/ZTA more of a devolution. It takes us back to providing RA as a service (RaaS), replacing dedicated i386 appliances with virtual images akin to the early days of micro services on Unix. For example, this is how Aventail, a pioneer in RaaS, launched — as a service; the appliance came some years later.

When the RaaS (again, service is right there in the name) revolution first hit — way before the SSL VPN reboot — I was building huge NT 3.51 clusters with a spaghetti of US Robotics Courier modems hanging out the back. This service was offered to customers as the Common Office environment bundle and built on the premise that we could not trust incoming user traffic.

Over the proceeding 25+ years, much has changed. But the core principle of distrust remains. One of my favorite vintage marketing tag lines simplifies this message of zero trust to “Detect – Protect – Connect.”

With the 2000s came the SSL VPN revolution, which at its heart messaged “VPN is dead” and “clientless remote access rules.” We’re seeing this again today with SASE/SDP messaging, but what does it really mean?

It comes down to crypto, packet encapsulation and routing — aka “when do I route direct,” “when do I proxy” and “when do I backhaul tunnel.” These are all questions of trust. There is no one-size-fits-all answer to this; thus, to build a highly resilient and scalable service, you must do all three and often together within a single session using JIT logic.

Injecting a bit of humor, let’s look at this piece of Aventail marketing I pulled from the web. (The internet forgets nothing!)

Image Describing A new Reference Architecture – The Inverted Network

FYI: Aventail lives on today — it is the SSL VPN startup company SonicWall purchased in 2007, which has evolved into today’s SonicWall SMA 1000 series.

With no change to the core of the slide, just updating the terminology buzzwords to current standard, we can see ZTA ideals have been around for a lot longer than you may think.

So why, then, if solution architects like me have been singing the praises of a Zero Trust Architecture (ZTA) approach for 20 years, has there been such a slow adoption? Well, unpicking a flat network is hard work, and often in a large enterprise, you just don’t know who needs access to exactly which apps and data. However, you have to start somewhere — and with many years of experience, we’ve learned a thing or two about the best way to peel that particular onion.

COVID has changed this landscape, and today I see what was considered a “good enough” remote access implementation no longer cutting it. RA overhaul projects are again in the CIO’s Top 3, the common driver being ZTA to support the home worker revolution. So the chickens have finally come home to roost, and my years of banging the drum of inverted networks and shrunken perimeters becoming the mainstay have paid off.

Image Describing Access Control Engine

A final thought: A modern RAS needs more than just a complex ACL table to be a robust, reliable ZTA service. The ACE (Access Control Engine) at the core of the SonicWall SMA 1000 may be what your security team is pushing for, but as a CIO, that alone will not help you appease the business or provide a highly reliable, most critical service.

Business continuity thinking has replaced disaster recovery thinking to achieve service uptimes of nearly 100%. This needs consideration for parallel live infra demarcations with a roll forward N+1 strategy, SPOG central configuration change scheduling, mix-mode physical and virtual termination nodes salt-and-peppered between private and public datacenters, redundant app-data paths … which all come from experience.

James Whewell
Solution Architect | SonicWall
James is currently the lead solution architect for SonicWall’s enterprise sales team. With more than 20 years in the cybersecurity industry, James has provided solution architecture, product management and security consultancy guidance to many Fortune 500 companies. With a career spanning both sides of the vendor-employee relationship, James has had a passion for access and mobility security since his startup days launching the SSL VPN space.