FDE and VPN: Don’t Throw out the Security Baby with the Legacy Bathwater, Part 2
Editor's Note: This is part 2 in a series, "FDE and VPN: Don’t Throw out the Security Baby with the Legacy Bathwater." For part one, click here.
What's the alternative to VPN? For adequate security, Welch seems to be relying on HTTPS (hypertext transfer protocol secure). HTTPS combines conventional Web HTTP with security protocol SSL/TLS (secure-sockets layer/transport-layer security). HTTPS is built into every modern Web browser, and generally is easy for end-users. HTTPS, however, has its limitations. It can put more of a burden on administrators and is only for applications that exist as Web applications running through an HTTPS server.
After a couple of decades of experience and refinement, that's the fundamental trade-off for VPNs. There's a significant, if well-quantified, initial cost to establish the VPN between the home network and the first remote location. With that first connection in place, though, the remote location can network just as though "at home" with a minimal impact on performance. The slowdowns which plagued the first generation of VPNs have nearly disappeared.
In isolation, a VPN-free solution for one particular access is probably easier to set up, on both the server- and client-sides. In the absence of a VPN, though, each additional application might require an HTTPS redirect, a slight firewall reconfiguration, an additional or reconfigured server-side SSL certificate, and perhaps expanded licensing (many software licenses categorize a remote work location as an additional "site").
Room for both
It's easy to conclude, then, that there's need for networking toolkits to include both VPN and VPN-free choices. Younger and smaller organizations might need to support only a small number of applications for remote use, and those might be available as Web applications which lend themselves to SSL-based access. Larger organizations, and particularly those with deeper histories, are likely to rely on a wider range of networked applications. VPN is less expensive and less complicated than the combination of separate analyses and configurations that would be required to get all of those different applications working properly. Also, SSL-based solutions have a somewhat spottier history of exploits; security experts like Tom Henderson, Managing Director of Extreme Labs, make the point that "TLS 1.0 was bad, and it's still around."
Welch might well be right -- perhaps he's in a situation where the advantages of a VPN matter little. That certainly doesn't mean it's time to live without VPNs in all the other networking roles, where they are the best solution available.