Often viewed as “older” technology, hardware-based VPNs don’t get a lot of love.
In a world of buzzwords like "machine learning" and "artificial intelligence", utilitarian technologies that get the job done (often more effective and simpler than their more flashy counterparts) tend to get overlooked.
So why should you slow down and take a second look at hardware VPNs?
Because, in many cases, hardware-based VPNs can provide better security, are easier to use, and require less maintenance than their software-based counterparts.
What is the Edge?
VPNs are meant to help us protect the devices at the edges of our networks.
Before we can define what's meant by "the edge," it's helpful to look back at some of the other terms that are often thrown around when defining networks, specifically around the instances in which VPNs are necessary.
A term that was once very popular in the world of cybersecurity was the “perimeter.” At the time in which it was in heavy use, the perimeter was used to describe the edge of an organization’s internal network.
Anything that was inside the perimeter was physically located within your office, and any device that was allowed on it was a known, organization-provided device.
However, in today’s hyperconnected environment with mobile devices, 24/7 connectivity, and widely spread teams, the perimeter has all but disappeared. No longer can we ignore the need for devices and humans outside of our physical perimeter to connect into our networks, and to do so securely.
In fact, thinking you can create and protect a perimeter will do nothing more than provide you with a false sense of security, and open you up for a breach.
Instead, what we look to protect today is “the edge.”
The edge includes all of those end user devices, far and wide, that we need to allow into our network from the outside. In some cases the edge can also extend to include IoT or unmanned devices that autonomously need to communicate with our network as well.
This Edge is what a VPN works to protect and secure.
🔎 Related Articles: Hardware VPN Buyers Guide
Hardware vs. Software VPNs
A software-based VPN is achieved by downloading software on each end user device that needs to connect to the network, as well as installing software on the central network to which those devices will need to connect. Software-based VPNs will encrypt data that is transmitted between the end user device and the main network.
Hardware-based VPNs are typically physical devices that connect to an end user device and, when coupled with software installed at the server side within the main network, encrypt communication between the two.
In addition, hardware-based VPNs can typically offer firewall functionality to users as well.
There are many different solutions on the market for hardware-based VPNs, each with different features and functionality, so for the purposes of this discussion I’ll limit myself to Archon's hardware-based solution in order to speak about specific features rather than in general terms.
Benefits of Archon’s Hardware-Based VPN
Often, VPN solutions are complex and require significant effort to manage, monitor and maintain. Archon’s GoSilent platform offers quite a few benefits for protecting devices at the edge over typical software-based VPN solutions.
No software is required for end user devices.
This is one very clear benefit for both organizations and end users alike. There is nothing to install, nothing that requires training, and nothing that requires maintaining updates on the end user device itself. This makes it very simple to connect both organization-provided devices and personal devices alike.
🔎 Related Articles: Which Kind of Hardware VPN is Right for You? Find out!
Centralized maintenance and management is much less involved.
IT departments love how much less is required of them to keep a hardware-based solution up and running effectively. There are no constant patches and updates to keep track of. For the most part, once the initial installation and setup of the server-side software is complete (usually in as little as 10 minutes) there isn’t much they have to worry about.
No software compatibility concerns.
Because no software is required on the end user devices, there is no concern about which versions of applications or operating systems are running on those devices. With a software-based solution, there are a whole lot of those types of requirements to ensure the VPN can work correctly in the environment -- and that poses particular challenges, especially in cases where employees are using their own home computers or smart phones, or where legacy IoT devices may not support modern software VPNs.
Additionally, our server-side software is built to run on a virtual machine, meaning it is agnostic of your existing central network environment, operating systems or applications.
Firewalling and isolation.
The end user devices connected through our GoSilent Cube never actually touch the networks they connect to. The GoSilent device acts as a firewall between the device it is connected to and the outside world. No other devices on the same network as that end user device can even see that the device itself exists. Instead, their view ends at the GoSilent Cube. No software-based VPN can accomplish that.
Smaller attack surface.
Because the end user device is completely obfuscated from the network, the applications and operating system that are running on that device no longer offer an attack surface. Typically, operating systems -- like Windows for instance -- will have a large number of potential entry points because the software is doing so much. This means more opportunities for attack. With a GoSilent Cube, your attack surface becomes microscopic.
Lower risk of “VPN hijacking.”
Software-based VPNs make it much easier for VPN credentials to be stolen and used at a future date -- think something like your credit card number being stolen and then used to purchase items in the future. Similarly, with software-based solutions, it becomes easier to steal VPN login credentials and save them for future use. The GoSilent Cube helps protect against that because, again, the end user device is completely obfuscated from the network.
Greater control over where traffic is sent.
A hardware-based VPN can be configured to only allow traffic to flow to a single endpoint. Meaning, once connected to an end user device, it can ensure that any and all traffic can only go to the central network.
Software-based solutions don’t offer the same degree of control, and it is more difficult to be assured that traffic isn’t going somewhere it shouldn’t.
Potential to connect multiple devices.
Specific to the design and configuration of GoSilent, it is possible to use it as a Wi-Fi hotspot and protect multiple end user devices (like a mobile phone, laptop and tablet) all at the same time. In the case of software VPNs, each device would need to have a separate VPN client installed. This means less set-up and maintenance overall, and less concern about updating and patching.
Reduced risk of misconfigurations and user error.
Because there is nothing to configure on a GoSilent, there is nothing to misconfigure. It is as simple as plugging the GoSilent Cube into the end user device (or connecting the two over the GoSilent Cube's LAN).
With software, there are usually plenty of settings that can be set incorrectly and far more training a user will need in order to make sure they are using everything correctly. If a user misconfigures the software or does not know how to use it, the risk of unauthorized access to your data increases considerably.
When to use a hardware-based VPN
There are some very clear use cases where a hardware-based VPN is the right choice. Some of those situations include:
- Public Wi-Fi connections: In cases where remote end users need to connect over public Wi-Fi, or may encounter captive portals, a hardware-based solution is far superior to a software VPN due to its ability to completely obfuscate the IP address of the end user device, as well as its ability to isolate the captive portal within the GoSilent sandbox environment.
- Networks with untrusted devices: In cases where end user devices need to connect over networks that will likely have many other untrusted devices on them (think home Wi-Fi networks), the same benefits apply.
- Allowing for partners to connect: When you have third party vendors that need access to your network, a hardware-based solution provides you the peace of mind that their connections will be secure regardless of how they are connecting (including public Wi-Fi), how their device or operating system is configured, and how conscientious they are about updating and patching.
- Large professional services or contracting firms: For professional services firms, consultants may need to have VPN capabilities into multiple different clients. Software-based solutions require you to have separate VPN clients set up for each of these. By contrast, hardware simplifies the ability to connect from a single end user device to multiple, unique central networks.
There are also a few cases where you would actually need to combine both hardware and software-based VPNs. These include:
- CSfC approved applications: CSfC requires the use of both a hardware and software-based VPN for multiple layers of security. This is commonly found in government remote work applications.
- IP obfuscation: If you want to hide the physical location of both the end user device and the network they are connecting to, then a combination hardware and software solution will allow for that.
After learning more about the benefits of hardware-based VPNs, you may be wondering what it would take to migrate from your current solution (if you already have one in place) to a hardware VPN solution.
We recommend looking to your next IT refresh cycle, and really considering the needs you have from your VPN solution, how your staff will be connecting, and how to ensure the level of security your organization needs.
You will find that there are a few things you might gain or consider during the process:
- A hardware-based solution may open up the possibility of bringing your own device (BYOD) for your organization when it might not have been considered in the past.
- Your IT team will be benefited from a reduction in management, patching and upkeep of a hardware-based solution.
- You can achieve a stronger security posture than what you’ve had in the past if you are looking to improve in that area.
Hardware undeservedly gets a bad rap. Think of it like duct tape or WD40 -- they may have been around for a long time, but that's because they are incredibly useful for a wide variety of situations, and that's why everyone has them.