Traditional network access control

Network perimeter based protection

• Early solutions for enterprise network access controls were designed with well-defined network perimeters.
• All enterprise IT resources are hosted inside enterprise LANs with multiple LANs connected together.
• Entry into the network is protected using firewalls.
• Devices within the enterprise LAN are considered trusted.

Limitations

• Distributed nature of applications across DCs, remote branch offices and multiple Cloud locations
• Perimeter based approach is based on the premise that threat originates outside of the network, and thus focuses on north-south traffic with IDS, IPS and firewall solutions.
• East-west traffic needs to be monitored as well, otherwise any threat already inside the network perimeter can remain undetected.
• Remote access for employees and partners needs to be monitored. These request originate from outside of the trusted network.

VPN

• Secure IPSEC tunnels over public Internet

Limitations

• Hair-pinning - Extra distances -> increased latency -> traffic bottlenecks
• Capacity constraints when deployed as hardware appliances
• Susceptible to attacks - "session hijacking", "account ID extraction"

MPLS

• Multi-protocol label switching technology is used to build enterprise WANs

Limitations

• Geographic span of enterprise IT resources has made traversal over Internet inevitable. MPLS is a different network and provides access to Internet only through designated and limited access points. Similar to VPN hair-pinning phenomenon, increases latency.
• Different network technology and appliances makes network configuration complex