How Zero Trust Network Access Reduces Network Latency
With so many people still working from home, VPN latency has gone from a niche concern to a mission-critical performance metric. Remote access is no longer limited to a few users. Everyone needs remote access — and they want the same experience they had at the office.
Slow-responding network connections directly impact user productivity and undermine business performance. We’ll explore how traditional network architectures drive latency issues and contribute to security risk. A modern approach to network design called Zero Trust Network Access (ZTNA) offers a better alternative. We’ll explain what ZTNA is and how ZTNA produces performant, low-latency network connections.
From the user’s perspective, latency is the time it takes to see the results of their actions. Everything between the user’s keyboard and the resource they are accessing remotely can delay this travel time. With high latency connections, the user experience suffers as:
- Web pages take longer to load.
- File uploads and downloads take forever.
- Video streams drop frames and shift to lower resolutions.
- Audio streams sound robotic and cut out.
Latency can be a particular problem for DevOps teams that work remotely. Sluggish response times undermine productivity — especially when developers are transferring large files.
Latency can also become a security problem. When users, especially privileged users, experience high-latency connections on a regular basis, they may sacrifice security hygiene to get their jobs done. For example, remote workers often solve poorly-performing VPN connections by logging off and working over the public internet.
A secure perimeter paradigm drives the design of traditional network architectures. On-premises workers access services and resources on a central network. Security technologies protect that network from external threats. Additional technologies let remote workers pass through these network defenses but often impact user performance.
Virtual private network (VPN) gateways concentrate traffic between remote users and the protected network. They also decrypt and encrypt packets flowing in and out of the secure VPN tunnels.
Whether running on an appliance or a virtual server, the number of concurrent users a VPN gateway can handle is limited. Latency and throughput suffer when many remote workers try to use the VPN gateway at the same time.
Geography also impacts VPN latency. The farther remote workers are from their company’s central network, the longer it takes for data to reach the VPN gateway and return.
Network topology is another issue when remote users access cloud resources through their company’s VPN. The traffic must pass from the user to the VPN gateway, pass through the company network to the internet, and terminate at the cloud service provider. Data flow along the return path to reach the user. This round trip, also called backhaul or the trombone effect, can increase latency significantly.
VPN technologies have weaknesses besides their performance limits. Since they are designed to grant access to networks, VPN solutions cannot provide granular control over access to specific resources. Should a VPN gateway or a user’s credentials be compromised, attackers get free access to the protected network.
Although based on new technologies, software-defined wide-area networks (SD-WANs) are still shaped by the secure perimeter paradigm and suffer similar weaknesses. Like VPNs, geography and hardware limitations can impact latency. But the biggest impact is the internet’s “middle-mile”. Internet routing and transport protocols are not optimized for user performance. As packets bounce from network to network, they do not follow the most performant route. Latency can suffer as a result.
Remote desktop protocol (RDP) needs low-latency connections in order to deliver an office desktop experience to remote workers. Network setups at both ends of the connection, the distance between users and the protected network, and the configuration of RDP protocols contribute to latency.
In most cases, companies will consolidate traffic through an RDP gateway in order to more efficiently support their remote workers. These gateways become bottlenecks as the number of concurrent users rises. Backhaul is also an issue. RDP lets users access a desktop environment as if they were in the office. When they use that virtual desktop to access cloud resources, their traffic must go through the same round trip through the private network.
RDP also shares VPN’s security limitations. Like a VPN gateway, for example, RDP gateways broadcast their presence to the public internet, making them discoverable by cybercriminals and common vectors for attacks.
Remote workers have jobs to do. They will find a workaround if their company’s secure access solution interferes with their work. Consider Zoom, Teams, and similar business communications platforms. For better or worse, these apps have become standard parts of remote workers’ lives. People leave them running all day to stay in touch with co-workers and attend virtual meetings.
However, these bandwidth-intensive and latency-sensitive apps can become unusable over poorly-performing VPN connections. So, people turn their VPNs off. Real-time video conferencing gets better, but now messages and attachments are no longer passing through the VPN’s encrypted tunnel.
Zero Trust Network Access is a modern framework that replaces the old secure perimeter paradigm. ZTNA makes connecting today’s distributed workforces with increasingly decentralized, cloud-based resources simpler and more secure. Based on an assumption that security breaches can happen at any time, ZTNA requires verification of every connection attempt with no exceptions. Private network or public hotspot, managed device or BYOD, executive or contractor — every request triggers authentication. Once verified, policies based on the principle of least privilege only grant access to the specific resources users need at the time.
ZTNA eliminates many of the performance issues associated with VPN and other secure perimeter technologies:
Rather than concentrating traffic through a gateway, ZTNA establishes direct connections between remote workers and the resources they access. This eliminates the congestion and backhaul associated with a VPN gateway. When a user accesses a cloud-based resource, the ZTNA system creates a direct encrypted tunnel between the two. Intelligent routing ensures the tunnel follows the most performant path.
Performance on the private network improves as ZTNA diverts user-to-cloud traffic to the internet. As a result, users get faster, more responsive to on-premises resources.
ZTNA solutions can enable split tunneling to further improve performance. A ZTNA client on the user’s device will exclude certain apps or protocols and route them unencrypted over the public internet. Most video conferencing platforms, for example, have solid security practices so additional security is unnecessary. The ZTNA client can let real-time communications protocols pass over the internet. At the same time, all traffic to protected resources only passes through encrypted tunnels.
While ZTNA improves the user experience, this modern framework’s true strength lies in the way it secures sensitive resources. Proxies hide the resources from any public or private network. ZTNA clients on user devices cannot see the resource — until the ZTNA system facilitates the point-to-point connection.
This distributed network architecture lets companies apply granular access control policies. Besides the user’s identity, ZTNA will use the context of each request to decide:
- Whether to grant a user access.
- Which resources a user may access.
- How limited that user’s access will be.
Context can be the source network. Employees with on-premises connections, for example, may access more sensitive information than workers using airport hotspots. ZTNA can also deny access based on firewall status, antivirus status, and other aspects of a user device’s security posture.
Traditional network architectures have inherent weaknesses that increase network latency and create poor user experiences. Hub-and-spoke topologies concentrate user traffic to cause congestion at gateways and on the private network. With cloud-based resources more common, using VPN for remote access causes backhaul that further degrades the user experience. Even modern implementations of the secure perimeter paradigm, such as SD-WAN, cannot avoid their built-in performance issues.
Twingate’s Zero Trust Network Access solution is a modern approach to secure access that reduces a company’s attack surface significantly. At the same time, Twingate clears the bottlenecks from traditional networks.
Using a point-to-point topology, Twingate creates direct, encrypted tunnels between each user and the resources they access. Intelligent routing over public and private networks ensures users get performant, low-latency connections.
By controlling access to both on-premises and cloud resources for all users, Twingate relieves private networks from backhaul and unnecessary traffic. Bandwidth, throughput, and latency on the private network improve as Twingate securely routes everyone’s cloud traffic directly over the internet.
Twingate’s split tunneling feature is active by default. Handled by a Twingate client app on the user’s device, split tunneling routes traffic to protected resources through secure tunnels while letting other traffic pass over the public internet.
You can see the performance impact yourself by joining our free Standard tier for individuals and small teams. Or contact Twingate to learn more about improving your users’ experience and boosting network performance with Zero Trust Network Access.