What does Microsoft/Apple/Netflix etc use for allowing employees to access internal systems?
I’m a jr DevOps engineer working for a (currently small) startup, wanting to integrate technologies which is capable of handling employing thousands of people a year, and have been tasked with looking into highly scalable remote access solutions. I would like to know what existing companies use for this, and what any of you would recommend.
I really have to disagree with the approach here. A small company has different needs and resources from Apple/Google/etc. Using them as a model is a good way to drop too much money on the wrong things, and then perpetually have to spend too much money to keep them going.
What actual concrete needs are you trying to meet? Maybe you just need some to allow access to a subset of people to backend systems? Maybe you want to add extra security to business systems that are provided by SaaS partners? Maybe you are trying to connect data centers or offices? Maybe you’ve already invested in a particular networking vendor? Maybe you are completely cloud native?
All of those are factors (among others) that will add up to a different solution depending on where your needs spike highest for “allowing people to access internal systems”.
I know you want to get something today that will scale to the theoretical thousands of users you may have some day, but realistically you won’t be there for years and by then everything will likely have changed again and you’ll want to revisit the solution anyway.
Get something that meets the needs you have today and the needs you think you’re likely to have in the next year, or the period of whatever contract comes with whatever solution you select, whichever is longer. Anything beyond that can’t be predicted accurately enough to do any kind of detailed planning for, so trying to account for it beyond making sure whatever you pick today will be easy to replace is a waste of effort.
Edit - oh, and, at the scale you’re talking about, this isn’t the kind of solution a Jr DevOps person should be choosing. That should be a job for someone who specializes in this kind of thing. If your leaders legit asked you to do this, that raises a lot of questions for me.
Palo Alto (GlobalProtect), Cisco (AnyConnect) or Fortinet. VPN for employees is a case for Network/NetSec team.
We use VPN strictly for accessing legacy internal services from ye olden days that are still hanging around. 99% of things are already on zero trust (endpoints publicly accessible on the internet, just behind authentication).
As everyone else is saying, the industry is turning its back on VPN and are choosing for a Zero Trust approach: rather than placing the user on a trusted network, you trust nobody and make sure that everyone is authenticated and authorized to access a specific resource. This increases traceability, accountability and it also allows for more fine grained access control.
We’re switching to cloudflare warp. Not a big company tho.
For a more DevOps interpretation of the question- sysadmin type work instead of internal applications- maybe something like Teleport.
While I still prefer SSHing everywhere, some key features (for a controlled environment) are missing: centralized access logging, session history/auditing, and access management. SSH certificates at least make it easier to revoke/rekey and limit the lifetime of the token, but can be a pain to set up.
Checkout google cloud’s BeyondCorp product (and associated white papers): https://cloud.google.com/beyondcorp. As far as I know this represents a state of the art zero-trust access model (sans vpn).
Nice try Russia. You wont read my Pulse that easily so we are zero trust now.
For the most part, we don’t use VPN. Everything is “Zero Trust”. Access is managed via oauth2 web proxies.
I know that 3 of the MANGa use AnyConnect.
I’m on a Fortune 500 and we are moving away from Cisco anyconnect to zero trust
I work for IBM and we use Cisco AnyConnect for internal systems. Worked with a few major banks and government orgs too and they’ve used OpenVPN
Awesome thank you for detailing this. I’ve learned something new!
Forticlient when out of office
Something that is certified fips 140-2
Cisco Anyconnect. Lots of things are available from outside on the internet because of cloud use. But not everything can be.
We use Forti, kind of a vpn virus scan, pc monitoring all in one kind of thing