Remote access tools have been used by workers for decades to connect to business resources when they are outside of the office. These solutions often use protocols and encryption methodologies that are not secure or slow. By building remote access tools based on newer technology the shortcomings of older solutions can be sidestepped. New remote access tools can be faster, simpler, leaner, and more useful delivering a number of benefits:

  1. Less CPU overhead and longer battery life – Unlike AES-256, which is often used by OpenVPN, modern cryptographic methods such as ChaCha20 encryption and Poly1305 message authentication have many advantages. Testing by Google revealed that these new ciphers offer better security and better performance than AES encryption; on devices without AES acceleration, such as mobile devices, ChaCha20 and Poly1305 can operate three times faster. Making the encryption less demanding means the CPU consumes less resources, enabling other applications to run more smoothly and extending the battery life of the device.
  2. High speed and extremely resilient – With applications demanding better network performance, remote access tools based on OpenVPN are no longer suitable as they are considered one of the slowest protocols. Newer encryption key agreement mechanisms such as BLAKE2s hashing, which is much faster than the regular SHA-3 most protocols use, can help improve performance. Additionally, reducing the number of handshake messages required to set up a connection to 1.5-RTT (1.5 Round Trip Time) helps make sessions more resilient against wireless connection interuption, providing a vastly better end user experience.
  3. Streamlined and stealthy security – Unlike OpenVPN which has a code base of 100k lines, and OpenSSL which is also large, newer technologies have much smaller code bases. This means that modern remote access architectures have a smaller attack surface, making it easier and faster to remove potential vulnerabilities before they are discovered by malicious groups. Using techniques like Perfect Forward Secrecy, which frequently changes the keys used to encrypt and decrypt data, preventing an attack from obtaining too much data if they manage to obtain a key. Another security technique is Single Packet Authorization, which prevents the network from responding to any packets from peers it doesn’t recognize, so a network scan will not reveal that a resource is running. 

Consider the architecture

Some remote access services use reverse-proxy technology, this means that private applications are exposed to the internet. Reverse-proxy infrastructure relies on relatively high-level protocols to keep that incoming access protected. Although this approach enables “agent-less” deployments it comes at significant cost as there is some infrastructure that is responding to anyone’s request.

Responding to requests means the application is discoverable on the open internet. In comparison, software-defined perimeter (SDP) technology operates at the packet layer. Quite simply, SDP servers look for a signature for all incoming packets, and if it is not there, the packet is ignored completely. Without compromising the endpoint device to acquire the private cryptographic key there is no chance of effectively spoofing packets to get a response from applications. Taking this approach can make access services immune to MitM, session hijacking, and many other “application-layer” attacks.

Next generation remote access in action

These new remote access protocols and techniques together with Wandera Private Access, enabling a next generation remote access experience. The cloud-based SDP architecture is highly secure and can provide remote access without any infrastructure deployment. To learn more about the technology that powers Wandera and how it can help your businesses please get in touch with one of our experts.