Updated as of April 18, 2023
Organizations have several options for providing remote access, from traditional VPNs and VDI to newer cloud-based desktop-as-a-service (DaaS) offerings. This piece explains the tradeoffs with each technology and offers tips for implementing a secure
remote access strategy.
VPNs Pros and Cons (Comparisons)
The benefits of a traditional on-premises VPN include:
- Easy deployment: VPNs are usually simple to deploy, whether they are SSL-based or agent-based (IPsec) VPNs with preconfigured security policies.
- Inexpensive: VPNs can be relatively cost-effective for a moderate number of simultaneous users.
- Flexibility: VPNs can be used with just about any type of remote device.
- Well-understood, time-tested technology: Staffers with the skills to configure/manage/oversee VPNs are readily available.
- Easy logging/monitoring: Many security operations teams understand well how to log and monitor VPN connections.
However, VPNs also have some potential pitfalls/drawbacks:
- Performance issues: VPN concentrators can become overloaded with a high number of simultaneous users, and bandwidth can also become saturated.
- Client/endpoint issues: VPN clients must be configured and deployed and can sometimes cause conflict on endpoints. Plus, not all VPN providers/vendors support all endpoint configurations.
- Lack of visibility: VPNs do nothing inherently to secure the endpoint source, other than possibly performing posture checks like patch level, antivirus signatures, etc.
VDI Benefits and Disadvantages
Benefits of VDI
- Centralized control: VDI offers full central data center control over all aspects of OS and application security.
- Malware protection: Ephemeral images disappear after use, eliminating many persistent malware threats.
- Reduced data center threats: All resource access comes from VDI central farms, not distributed endpoints.
Disadvantages of VDI
- Additional resource requirements, including storage, virtualization platforms, etc.
- More complexity, which requires more operational oversight.
- Potentially higher costs for licensing.
Remote Access Strategy Considerations
Other considerations to keep in mind:
- Use of company-owned devices: If all remote assets are 100% controlled by the organization, a VPN is a very viable and sustainable remote access option for the foreseeable future. It can also serve to minimize impact on end users in terms of complexity
and configuration.
- Bandwidth concerns: Bandwidth constraints are likely to be a concern, irrespective of which option is used.
- VDI vs. RDP: VDI connections are likely to be superior to standard RDP because:
- RDP is not robust enough to handle numerous connections simultaneously, but mature VDI is well suited to handling many connections at once.
- VDI can be much more flexibly configured for explicit types of remote access beyond just Windows servers.
- Dedicated VMs vs. pooled: For highly sensitive access to data and/or privileged users, setting up dedicated VDI instances or VMs is a sound approach, as long as you have the infrastructure capacity to support this. However, most clients use pools
of VMs.
VDI Security Best Practices
Best practices for securing VDI deployments include:
- Secure all endpoints where the client will be installed with patches, OS configuration standards and anti-malware technology.
- Implement MFA for all clients to access VDI instances remotely. At the very least, ensure privileged clients use MFA.
- Use a virtualization-aware endpoint security suite within your VDI cluster for the VDI instances themselves. This helps limit resource utilization. Most major endpoint security vendors have solutions that integrate with major VDI platforms or are
sensitive to resource consumption on VDI instances.
- Disable all USB and external drive connections on remote clients, if possible.
- Set client timeout values: Some systems have default of 600 minutes (10 hours), for example. A better choice is 30 minutes or less.
- Set VDI administrator timeouts: The average default time is 30 minutes, but a value of 15 minutes or less is considered a best practice.
- Ensure accurate time sync among all components, including connection servers and other load balancers, security servers, VDI management, etc., using the Network Time Protocol.
- Restrict all ports and services between VDI servers to only those needed for operation. These will differ from one solution to the next.
- Enable logging for all connection services, including load balancers, connection brokers and security servers/services.
What’s New with Cloud Remote Access Options
Both VDI and VPN solutions are now readily available in cloud-based deployment models. Advantages of using these types of services include:
- Minimal reliance on on-premises infrastructure: For both VPN replacement (sometimes associated with zero trust network access, or ZTNA, services) and cloud-based VDI, end users connect to
cloud services first and foremost, minimizing central connectivity to on-premises infrastructure in many usage scenarios. This can save money and operational capacity. For VPN replacement solutions that connect users back to on-prem services, reverse
proxies are likely needed at the edge.
- Faster configuration and deployment: While not universally true, many cloud VDI solutions can be set up and deployed very quickly, because the back-end hypervisors, storage and images are all ready to go. Most VPN replacement technologies do require
an agent for deployment, which can still take some time, but connectivity to the cloud access broker may be much simpler.
As with all technologies, there are also potential drawbacks to cloud-based VDI and VPN replacement services:
- Reliance on cloud service providers: As with any critical enterprise services that are partially or wholly outsourced, there are new risks if the provider suffers an outage or some other disruption.
- Lack of features and/or flexibility: Especially in the case of cloud-based VDI, some options may not offer as much deployment flexibility or capability in terms of security and operational controls that rely on full access to the underlying hypervisor
platforms.
- Increased costs: While not a foregone conclusion, many cloud remote access and remote desktop services charge for utilization, which may not be cost-effective for some use cases.
READ: Non-VPN Remote Access Options
Tips to Choose the Right Remote Access Solution
Every organization is different, but in general, organizations should consider the following.
For on-premises deployment models
- Go with VPNs, unless bandwidth and performance issues crop up: If existing VPN access is functional and reasonably well locked down, VPNs are a sustainable method of enabling remote access, as long as excess congestion (bandwidth and concentrator
overload) doesn’t occur.
- Go with VDI, if cost isn’t an issue: If the existing infrastructure is in place and license costs are not an issue, VDI offers more flexible remote access options in terms of desktop control, access controls and maintenance of applications
locally in the data center.
- Go with pooled vs. dedicated VMs: For most users and scenarios, a pool of VMs will make the most sense. Dedicated VMs are best for only the most privileged users and data.
For cloud-based deployment models
- Evaluate features you need before switching: While this should go without saying, some cloud VPN and VDI options may be attractive due to cost savings or ease of deployment, but they lack important security features you’ve come to expect
with on-premises options.
- Check provider SLAs: Cloud providers that host desktops or VPN connections to broker elsewhere are now part of your end users’ critical path for most or all work-related functions. Ensure the cloud provider you choose has the availability
metrics and guarantees you expect. Also make sure the providers you evaluate have ample coverage in the geographic regions you operate in.
- Test compatibility for all access use cases and types: Make sure you test a wide variety of use cases with both VDI in the cloud and VPN connectivity through a broker (especially for access back to on-prem resources). Be sure to look at connectivity
latency and performance, potential workstation and endpoint compatibility issues, lack of functionality that end users need, and so on.
- Use MFA everywhere: It should be used with any and all users where possible (for VPN and VDI, whether on premises or in the cloud).
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.