Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Using SDP as an alternative to VPN: 6 questions admins often ask

January 21, 2019 - 4 min read

Another year down and odds are you’re looking at another year using your remote access VPN. Another year of frustrated users, their grumbling growing louder as the number of mobile employees rises. With applications and workloads moving to the cloud and many users working remotely, the emphasis on traditional network-perimeter security needs to be reevaluated, specifically in the context of remote access.

The software-defined perimeter (SDP), technology known by Gartner as zero trust network access (ZTNA), provides a modern, 100% software-based approach to secure private application access without the need for VPN. As organizations continue to transform and seek to implement a zero trust network, SDP becomes a critical prerequisite to enabling the necessary security, user experience, and network simplicity the business needs.

Companies like TRIMEDX have already begun using SDP as a VPN alternative and have shared their story in a recent webinar, “Three reasons SDP will replace VPN in 2019.” But many in enterprise IT have questions around SDP and how it replaces VPN. Below, we’ll address six questions we often see come up when discussing software-defined access technologies.

1.  What are the main areas in which SDP technologies differ from VPN?

Where they truly differ is in their method of connectivity. VPNs are IP and network-centric, connecting devices to networks; SDP instead provides secure connections between authorized users and authorized applications, not the network.

With SDP solutions, inside-out connections are established between user and application, rather than receiving inbound connections from the device and onto the network. These inside-out connections ensure that application IPs are never exposed to the internet while decoupling application access from the network. Since users receive no network access, the attack surface is minimized, while users enjoy fast, direct access to applications with no network-related latency—a user experience that’s far superior to VPN.

2.  What are some things that SDP cannot do that a traditional VPN can?

Legacy VPN technology still holds a foothold due to its ability to provide universal protocol tunneling. SDP solutions support most protocols; however, some SDP solutions do not have the capability to support peer-to-peer (P2P) protocols, Voice over IP (VoIP), Session Initiation Protocol (SIP), or Signaling System 7 (SS7). As SDP continues to mature, we can expect to see more support of these protocols.

3.  What makes SDP good options for my enterprise?

SDP is a technology you should consider if your VPN is causing pain to the business—whether it’s the result of lost user productivity due to slow access, security risk due to limited visibility and control, or difficult management due to the growing complexity of the VPN architecture.

While SDP is becoming a popular alternative to VPN, there are a variety of other ways enterprises are leveraging the technology. They include enabling multi-cloud access, securing third-party access, and accelerating IT integration for M&As.

See how companies like MAN Energy Solutions, NOV, Perdue Farms, and TRIMEDX have leveraged SDP to solve their individual challenges.

4.  Does SDP replace any appliances in my inbound security stack?

Yes, specifically the VPN concentrator, DDoS appliances, and even load balancers.

The VPN concentrator is removed from the inbound stack since SDP itself serves as a VPN/RAS alternative. Unlike a VPN that operates as an internal listening port, SDPs can receive no inbound pings, making the network undetectable and effectively creating a “darknet.”

The need for DDoS appliances is eliminated because user-to-application connectivity is made via inside-out connections instead of inbound pings. IPs are never exposed to the internet, making applications invisible to unauthorized users and reducing the threat of internet-based attacks, such as DDoS.

Some SDP services even provide their own built-in global and internal load balancing capabilities. With the right SDP service, user traffic can be automatically directed to find the optimal path to an application, while enabling even greater consolidation of the inbound stack.

5.  Which operating systems are SDPs compatible with?

In the case of ZPA, our app connectors, which run in the customer’s environment as lightweight RPMs or VMs, are compatible with a wide range of operating systems.

Supported platform operating systemsVMware vCenter, VMware vShere Hypervisor (ESXi), Oracle Linux, Microsoft Azure, Microsoft Hyper-V, Amazon Web Services (AWS), Red Hat Enterprise Linux, CentOs

Supported device operating systemsWindows, Android, MacOS, iOS, Linux, Oracle

However, if a device operating system is not supported, some SDP providers have browser access capabilities for web applications. This eliminates any device compatibility issues and enables secure connectivity from user to application via a browser.

6.  SDP would fit as a VPN alternative for my organization, so how do I get started?

A great place to start is by familiarizing yourself with the SDP architecture and how it could fit into your environment. The Network Architect's Guide to Adopting a Software-Defined Perimeter is a great resource for you or any network architect seeking to understand the SDP environment or trying to identify first steps and pro-tips as the enterprise looks to implement an SDP.

Learn more about SDP as a VPN alternative:

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.