Max Havey [00:00:01] Hello and welcome to another edition of Security Visionaries, a podcast all about the world of cyber, data, and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today we have two exciting guests, both experts from the world of networking, here to talk about the highs and lows of virtual private networks or VPNs. First up, we have Steve Riley, a field CTO here at Netscape and an experienced information technology professional who's held a number of different technology and security roles throughout the industry, including a stint as an analyst for Gartner. Welcome to the show, Steve.
Steve Riley [00:00:36] Hey, thanks, Max. Good to be here. Hi, everybody.
Max Havey [00:00:39] Glad to have you. And additionally, we have Carl Smittle, a network engineer for Charter Communications and a senior network and security engineer who has worked across multiple industries, including stints at Spectrum and Mastercard. Welcome to the show, Carl.
Carl Smittle [00:00:51] Thanks for having me.
Max Havey [00:00:52] Absolutely. So today we're going to be talking about sort of the past and present of VPNs and looking at sort of the highs and lows as well as where things are headed next and what organizations who are, you know, where where things are headed next for organizations. So to start things off here, you know, the specification for the VPN was published back in the last millennium, 1999, to be precise. So for our younger listeners and, you know, to help some of our older listeners reminisce, can you sort of describe what the world before the VPN sort of looked like? Steve, can you can you start us off there?
Steve Riley [00:01:25] Yeah, I think, Max, you're talking about the RFC four PPTP point to point tunneling protocol in 1999. That was actually developed three years prior by a Microsoft person. It didn't get RFC status until 99, so it originated in 96, but that was a derivative of an even earlier protocol called point to point protocol from 1994. So yeah, I mean, you're right, these VPN things have been around for a while. You know, if you think about when the Internet was originally designed in the 70s, the notion of remote access wasn't really a thing. Right. But eventually, as people started to realize it was useful for more than just connecting universities to the Defense Department, it would be good if people could be somewhere other than in the local network to get on to wherever their Internet connection might happen to be. And so that's what the VPN did. It hooked people who were remote to some local network that could then, you know, either just interact with resources on that local network or elsewhere on the Internet. Why not just go to the Internet if you're already on it instead of into the corp net? Well, sometimes people wanted to apply certain kinds of security traffic to all app on Internet traffic, even those from remote users. So you bring them into the corporate and then back out to the Internet, which, you know, we lovingly call hairpin today. And fortunately, we have many, much more improved technologies from these than these things from the middle 90s that give us great performance and avoid all that hairpin and don't compromise security.
Max Havey [00:02:59] Definitely. And Carl, sort of, what are some of your thoughts? Do you have any anything sort of additional you'd like to add to that question there?
Carl Smittle [00:03:06] Yeah, I know it's hard to believe we've come this far. It's been a long time ago since before VPN. In the past I actually also worked a lot on side to side VPN connections, which, you know, the precursor to a lot of other things we've got today as far as file sharing and you know, getting from branch side to headquarters site type scenario. But yeah, I agree with Steve that if you're looking more to individual user to corporate site, I mean, there's there's a lot of different technologies that have come and gone. That, you know say maybe, concentrator that that we used to use that Mastercard fe'd pull 5,000 people on a snow day on the concentrator just people trying to work your remote and you know it's ever changing, so yeah.
Max Havey [00:03:59] Absolutely and Carl you know on that on that sort of note there, how how did the VPN sort of change things for businesses once it sort of arrived on the scene? Like how did it really sort of like alter the way people were doing business, the way organizations operated?
Carl Smittle [00:04:13] Yeah. So when I first started in IT I used to actually support, you know, we had the Novell networks. I actually supported a 90 site x025 network that basically is terminal to mainframe type scenario. And we ran on just dedicated circuits. So for the VPN site to site tunnels for corporations, say from a branch side to a headquarters side or 100 branch sites to the headquarters sites, a lot of those guys had to have dedicated circuits to get there and that was very time consuming to get stood up. The maintenance, you had to rely on the old telco to troubleshoot things, call them up, say, Hey, I'm down, whatever. They didn't really monitor. And, you know, it's very, very expensive also. So the VPN allowed you to kind of do your own thing, if you will. Like I'm going to set up a tunnel from point A to point B over the public Internet or, you know, I can more easily allow client to server or client to head in connection. And then I can, like Steve was saying, do the hairpin turn there to allow him back out to better manage your security profile. But yeah for you know, for a lot of businesses I think it added more flexibility, lowered the cost and instead of relying a lot more on telco than what we do now, and we can build our own stuff out there in Internet world. So that's that's where I see it.
Max Havey [00:05:53] Definitely kind of driving things to be a bit more flexible, a bit more independent, making it so that people can work from really anywhere.
Carl Smittle [00:05:59] Right? Yeah.
Max Havey [00:06:01] Definitely. And Steve, sort of where does your perspective come in on this sort of around, you know, these these sorts of these changes and impacts that VPN sort of brought when it first came out?
Steve Riley [00:06:11] Well, I think this notion of work from anywhere is an intriguing one. When did you get your first laptop, Carl or Max?
Carl Smittle [00:06:20] Probably. Actually, we had Desktops for a long time, probably, I would say probably 98, something like that. And so, yeah.
Steve Riley [00:06:28] How about you, Max mid-late 90s.
Max Havey [00:06:31] I had my first laptop I think in like 2002-2003.
Steve Riley [00:06:35] Oh, right. You're young.
Max Havey [00:06:36] I am. I mean, I'm younger. I'm younger than you think. Yeah. Yeah. Like I was going to say, like, I don't think I had Internet in my parents house until like 1998, so I maybe I may be a few years behind the peg here.
Steve Riley [00:06:47] Well, I ask the question because, I mean, think of, you know, we were talking about sort of the Internet before these VPN protocols arose and the VPN protocols arose, which lot people do remote. Well, what else happened that same time? Laptops. Yeah. My my first laptop in 1995. And so this I think this notion that hey this new mechanism materialized to use the Internet to get people to our corporate network when they aren't on the corp net itself is pretty cool. And I can remember I, you know, in very early days when I was experimenting around with some of this, when I worked for a power company in in Ohio that people just couldn't believe they could lug this computer around that, you know, it was like a couple inches thick, right? But then they could sit on a couch or a desk in the evening after dinner and they could do more work. Now, one might argue that VPNs and laptops, you know, were the beginning of the breakdown of the American family because but, you know, whatever. That's that's a joke. Okay. But it's interesting that these two things coincided. And I don't think that was by accident.
Carl Smittle [00:08:07] And you also forget about dial up, too, right?
Steve Riley [00:08:10] Oh, well, that's a big one. I think we all want to forget about dial up, right?
Max Havey [00:08:16] Yeah. I feel like the less said about dial up and having to, you know, endure indoor, you know, the tones, not making calls and, you know, just just the all around slowness compared to the connectivity we see today. I feel like it's better left in the past.
Steve Riley [00:08:30] Well, I mean, that PPP was for dial up. Yeah, basically. I mean it was an encapsulation mechanism for transport between two peers, but to make it work over the public. Internet. That was the edition that the PPTP brought. And then since then, all these. All the newer protocols, the Carl alluded to in the introduction essentially assume the Internet exists now.
Max Havey [00:08:54] Definitely. Well, and Steve, sort of jumping off of that, how was VPNs sort of instrumental in the early days of digital transformation? We kind of touched on that a little bit in your last answer. Could you could you expand on that maybe a little bit?
Steve Riley [00:09:06] Yeah. Well, I've been working from home ever since, I want to say probably about 1998. And that's been able enabled by VPNs and the Internet, whether it was when I was at Microsoft, working in consulting services, living in Denver or, you know, they moved me to Seattle and I was still working from home about half the time. And then Riverbed was home all time. Gartner and Netskope here, too. So it's enabled us to do good work anywhere and let the companies we work for, as well as the customers of those companies benefit from that. I think it clearly shows that humans have the aptitude and the desire to just be productive when the time strikes. You know, I don't always have my best ideas between 9 and 5. Sometimes a really good idea comes up, you know, 7 p.m., 8 p.m.. Yeah. I could jot it down into a notepad on my phone. But I'd rather just take the laptop, open it up, log in and write an email or send a slack message or create a quick doc and then go back to whatever I was doing, you know, blowing my instrument or watching a documentary or something. So the flexibility, I think has been really huge. But then also this notion that we can connect anything to anything. And this goes way back to Carl's early experience with those site to site VPNs. Right. Being able to use this technology as a substitute for expensive, dedicated carrier links that by themselves aren't any more secure. Right. It's just a different physical wire, that's all. The VPN protocols wrap necessary, necessary security around it. I think this lets businesses themselves be more flexible in where they place resources, where they place offices, where they place factories, those sorts of things that might not have been possible before the rise of these technologies.
Carl Smittle [00:11:22] Yeah. And if you just look to our overseas support, I mean, I work every day over a VPN and operations, I might get a call in the middle of the night and I can jump on the computer and do my work and fix stuff. And then also I can collaborate with workers that are, you know, other side of the globe at the same time over their VPN to talk to them. So yeah, it's it's a world changer.
Max Havey [00:11:47] Absolutely. And you know, Carl, kind of going from that there like, you know, is there anything that, you know, we can sort of directly sort of give VPN credit for that today we sort of take for granted when it comes to like the connectivity that we that we operate with as businesses and organizations.
Carl Smittle [00:12:02] Yeah, I think I just alluded to it. So I can work anytime, anywhere, which is always been my goal ever since I was in high school and being able to collaborate with other coworkers or even other companies because everything is specific these days, you know, Netskope, you know, if I need to talk to somebody from there, I can easily chat with them or Zoom or whatever it is to have them look at an issue. You know, and that's a huge one nobody really thinks about anymore because everybody, we're such a global presence these days that you might have to talk to somebody in another continent, you know, just other things like file sharing and being able to have a customer use your apps, you know, very easily type type scenario over a VPN connection. So yeah, it's it's a lot of stuff out there.
Max Havey [00:12:55] Definitely. And Steve sort of where, where you're sort of thoughts around this what, what and any, any further comments you want to add from your end.
Steve Riley [00:13:02] The Internet is a network of networks. That's what the word means. Right. Most people. I would say even today, most people don't have home networks. You know, we geeks. We nerds, we do. People will sometimes, you know, non nerds will buy a Wi-Fi access point and connect it into whatever they get from their ISP. So maybe they've got some kind of a small LAN in the house, but it's just, you know, a wireless deal. But before that became popular, there was no way to extend the Internet beyond the networks themselves. Right. And I think what VPNs enabled was to take this notion of a network of networks and extend that so that it could even encompass a single entity that is otherwise not able to get on the network. Yeah. You know, I don't think we think about that much anymore because like I said, you know, we nerds all have home LANs and even non-nerds have something approximating that. I think we should remember to give the VPN credit for that though.
Max Havey [00:14:09] Definitely. And you know, to sort of to piggyback off of that, why is it that you think that VPNs have stuck around so long and that they have they they have become such a sort of a key aspect of, you know, of operating in the business world today. Like going back to the 90s up to now, 2023. Why do you think that is?
Steve Riley [00:14:28] Inertia. But okay, so we can laugh at that, right? But there's one other thing to remember that the design goal of a VPN from day one, including all the way to today, is to connect devices to networks. Now we all have devices and we all have networks because really what we want to do is interact with data and applications. And since the only way to do that was having an IP address on every node that needed to participate in that interaction, connecting the device to the network was the way to go. And that's what VPNs, they do that. They're very good at that. But sometimes you have to wonder, is that really the best way to get people access to applications and data? And lately, you know, more kinds of remote access technologies have evolved that perhaps can accomplish this goal with less or no reliance on the underlying network anymore.
Max Havey [00:15:34] Absolutely. And, you know, Carl, where do you sort of stand on that? How do you sort of react to that? You know, what what are your sort of thoughts?
Carl Smittle [00:15:40] Yeah, it's hard to say. I'm surprised it's lasted this long. I just think it's kind of what Steve said, inertia. And everybody is used to doing something a certain way and was anything better. And the government probably, you know, started implementing new things to get people more on the track of getting off of VPN because it's very complicated to set up, you know, if you have to manage it and all that. So, yeah, it's about time something took its place because it has been around forever and there's a lot better ideas out there, I think. And it's just corporate mentality. Everybody's like, this is the way we've always done it. And you know, it's going to cost us money to get out of this old pattern and into something new that we'll have to learn about and train up people. But once you're there, it makes a lot of sense. So, yeah, I'm just glad we're kind of moving on.
Max Havey [00:16:37] Definitely we are sort of in the end days of VPN and I guess I guess to sort of broach the question here, what what's next then if the VPN is sort of, if people are looking at sort of changing out their VPNs, replacing their VPNs, watching this sort of evolve. Carl, what do you what do you think is next here?
Carl Smittle [00:16:55] Yeah. I mean, with all the security stuff going on the last few years and all the need for more security, I would say probably zero trust is is a big way. That's the freight train that's coming. Just because we've got more security controls around it and it can be more of an individual type scenario for allowing people access to things they need to get to. And instead of the old school firewall, VPN, access lists, you know, who knows what's coming over that? You know, zero trust makes to me a lot more sense. But yeah, I mean, that's kind of what I'm seeing.
Max Havey [00:17:36] Definitely. And Steve sort of what are your thoughts on, on, on what's next for the world of VPN?
Steve Riley [00:17:42] So if we if we now sort of take it for granted, that stuff is going to go to the cloud and people are mobile, it means that we have to facilitate better access people from people who are remote to all those different cloud places than the old style VPN, right? Where the hairpinning we mentioned earlier, I like to kind of give it this, this way of thinking. We are moving away from one data center to many centers of data. Every cloud subscription is a center of data and people are moving to the four corners of the earth and are no longer on the corp net. And so how do we grant people access to what they need, the right people, the right access at the right times for the right reasons. And still keep the performance good, right. So that people aren't compelled to go find something that's unsafe. Carl mentioned zero trust. That's a set of principles. A market has arisen for remote access tools built on that set of principles. And when I was at Gartner, I wrote the first market guide on that, and I named it Zero Trust Network Access because I saw, as Carl mentioned, the existence of the zero trust principles materializing in those products. And if I could do it all over again, I'd call it zero trust application access because it isn't really about the network. It's about people to apps and data. And here's an interesting example of how this new technology changes business. If any of you have ever been through an acquisition of some kind. You've either worked for a company who bought another one or you work for a company who got bought. What happens if you look at the IP address space at each of those two companies, they probably overlap. It did for one time when I was working somewhere. And so what did you do in the old days? You had to re-number one of the networks, which could take a year, right? Because it was about connecting devices to networks. But imagine this. If we had a technology, let's give it a name zero trust network access. Hey, it already exists. The acquiring company can stand up a few little resources inside the acquired companies network so that it connects to a ZTNA provider's cloud and allows the acquiring company to connect their humans to the acquired company's applications and data much sooner than going through renumbering exercise. You know, we've seen people close acquisitions six months sooner because of the existence of this technology. And doesn't matter what your IPs are anymore, just doesn't matter. And this is where we see an example of where we see a new technology demonstrating real business value that you can measure in dollars. And I just think that stuff is super cool when a when a tech I like creates a business value that I like and want to stand on stage and talk about, you know, good luck keeping me away.
Max Havey [00:21:09] Definitely. And so, you know, sort of as as to sort of, you know, network sort of expert folks, people who've, you know, been around VPN, been around networks and watched things change for so long. What excites you the most about, you know, seeing this next wave coming? Let's let's start with you, Carl.
Carl Smittle [00:21:27] Yeah. Like Steve alluded to and he brought up the cloud is a freight train coming. It's already here. So just to be able to be more. I'm not sure how to say, the more individually driven instead of just like, here's our policy and if you don't fall in this category, then you don't get to connect you to the app or do this or that. But it's very individual set up now that people need certain access that others don't and they need to connect remotely over the cloud, to cloud, to whatever it is that people might need to access and be it corporate or be it personal. I mean, that's. That's that's the way I see it, that it's more cloud related. It's more individual. Just the connection. Instead of relying on old school, like here's your subnet. If you're not in this subnet, you can't come over my VPN and just too bad. So it's the flexibility is a huge thing and costs don't have as much management fees hiring a bunch of tech people who know how to do it. So that's how I see it.
Max Havey [00:22:49] Definitely flexibility in cost reduction. And two things I feel like every business is looking for these days and everything they sort of you want to see from new technology.
Carl Smittle [00:22:58] Yeah.
Max Havey [00:22:58] And Steve from from your and what sort of excites you the most about about this next wave following VPN?
Steve Riley [00:23:05] Well, one thing that I think is good for us to remind folks listening here is that migrating away from the VPN to something like ZTNA doesn't mean you have to switch everybody all at once. You can start with a single internal application that people used to use a VPN to get to and make that available over ZTNA so that people become familiar with it. But you know that then institutes transition phase where sometimes people have to remember to get on the VPN and remember to do the other. So you know, it. Choosing to progress slowly does mean for a while that users might have to make decisions. But ultimately, once you get everything over to ZTE, you know, you can have a ceremony where everybody gets in the data center, you stand around the rack in the corner of the basement where it hasn't been touched in 15 years. Right. And sing some songs and unplug the thing and then take it out back and shoot it, because that's really the only thing it's good for anymore is target practice. And now. Now that now that your company's people have been freed from the shackles of the plumbing, what new things can they do? What sorts of new ways of of accomplishing business might might arise. I look forward to seeing what what the next 2 or 3 years might bring there.
Max Havey [00:24:28] Absolutely Exciting times abound here. And, you know, as we sort of as we sort of come to the end of this conversation here, I wanted to get a sense from you guys, you know, if you had to offer one piece of advice to organizations who are starting to take these steps away from VPN to sort of take these next steps on their own, what advice would you offer them? Steve, let's start with you.
Steve Riley [00:24:48] Yeah, well, probably what I just said in my answer to your earlier question is that decide for yourselves whether you want to take a phased approach or just jump all in. Jump all in puts a lot more work on IT. You've got to get it right. Can't fail. Phased approach is going to confuse the user community for a little while. Most people I speak with prefer the phased approach. They feel like they've got a good handle on how they can conduct a necessary user training. And that's what I would that's what I would recommend generally is to take take that step. Do remember that not all ZTE products can handle all protocols. So select your vendor very carefully. If you have a lot of legacy VoIP, if you have systems management tools where the server needs to make a connection to an endpoint or anything, not just a systems management tool, make sure that the vendor you choose can handle that because a lot of ZTE needs it wasn't in the original design spec for a and still most of them can't.
Max Havey [00:25:52] Gotcha. Taking taking that phased approach but you know being making sure that you're doing your due diligence around the vendors that you're choosing for these sorts of things.
Steve Riley [00:25:58] Precisely.
Max Havey [00:26:00] Excellent. And then, Carl, what sort of advice would you offer to organizations?
Carl Smittle [00:26:03] Yeah, I love that idea. Just put an app out in the cloud and let people migrate. Maybe something new. I mean, proof of concept is a huge thing and business requirements also just make sure it meets all your, you know, everything you need or at least close to it. And like Steve said, you know, talk to vendors, see what they do, you know, be kind of a knowledge like a nerd on things and just dive in. At least that's what I do. Just dive in tech and see how everything works, you know? But, but, you know, rely on the vendors for that, too. But just kind of going overall 10,000 foot vantage of how it works and how it will benefit you, you know, business case concepts and just, you know, do proof of concept with the vendor and see how they can help you and just try it out and maybe put one device or an app out there and let people maybe not something not real important, but let them try it and see how how they like it. And then gradually, you know, you can expand on that and other things out there. But yeah, I mean, it's just a process and learn how and then to feel comfortable with it and go on to the next step. So yeah, that's what I would recommend.
Max Havey [00:27:22] Absolutely. Finding the best ways to start that journey by jumping in, finding out what works best for your, your given organization.
Carl Smittle [00:27:29] Right
Max Havey [00:27:30] Excellent. Well, guys, we're coming into the end of this episode here. But before we close out and let the people go hear, any final closing thoughts? Carl, I'll hand the mic, over to you first if you have any closing thoughts we haven't covered off here already yet.
Carl Smittle [00:27:45] No, it's just like I said, learn and start looking into stuff, different newer ways to do things. Newer technology that will help you get to where you want to go. I mean, personally, that's what I've been. Cloud security. Now we're going to try to combine all three to learn more so I can help other people out in the future. And I think that's just got to be open for change is a big thing.
Max Havey [00:28:10] Definitely. And Steve, any any any final closing thoughts from your end?
Steve Riley [00:28:14] Well, I think Carl just read my brain because I was going to say, the only constant is change. So don't be afraid. Embrace that change. Always find ways that you can help your business be successful. Change is good. Use it to your advantage.
Carl Smittle [00:28:34] Right?
Max Havey [00:28:34] Absolutely. Change is good indeed. All right. Well, Steve, Carl, thank you so much for taking the time here. I imagine we could probably keep going on talking about this for a while here. But this has been this has been a true delight.
Steve Riley [00:28:45] Yeah. Thanks much, Max. Good to be here. And with you, Carl.
Carl Smittle [00:28:48] Yeah. Thank you, Steve. Thank you, Max. It's been a joy.
Max Havey [00:28:51] You've been listening to the Security Visionaries podcast, and I've been your host, Max Havey. If you enjoyed today's episode, please be sure to share it with someone who might enjoy it and subscribe to security visionaries on your favorite podcasting platform. There you can listen to our back catalog of episodes and keep an eye out for new ones dropping every other week, hosted either by me or my co-host, the great Emily Wearmouth, and we'll be sure to catch you on the next episode.
Why Netskope 
){kind=icon}
