The practice of work from anywhere and the standard firewall architecture present distinct yet significant challenges for organizations.
When working from anywhere, off-net endpoints, by default, use direct Internet access (DIA) for most of their traffic without any network security protection, thus becoming susceptible to malware and other network security threats, as the diagram shows. Therefore, to combat this challenge, organizations rely on the standard firewall architecture and full tunneling VPNs to backhaul their WAN traffic through the next generation firewall (NGFW).
Using the standard firewall architecture for WAN backhauling introduces extra load on the NGFW and its WAN links, which can lead to network congestion at a firewall’s WAN links, especially at peak working hours, as the diagram shows. Also, this load slows down the NGFW as it must use more CPU resources for VPN encryption and decryption. Therefore, performance degrades at both the NGFW and WAN link, which leads to remote users experiencing latency when accessing networks through full tunneling VPNs, ultimately degrading their overall user experience.
In addition, when working from anywhere, off-net endpoints are typically unmanaged, meaning that the devices’ security posture may be vulnerable due to lack of software and vulnerability updates, and therefore cannot be considered trusted devices.