Time for a Haircut

by Richard Meeus on June 26, 2020

Like many people around the world, my hair has grown profusely in the past few months and bears little resemblance to the photo in my profile. Without the required care and attention, my hair is getting dangerously close to the bad hairstyles I adopted in the 1980s.

I could of course attempt to fix this myself, attacking my hair with clippers, scissors, and a mirror. This will inevitably lead to a bad mullet (is there any other kind?), and we are back in the ’80s again. I therefore long for when we are back to normal, and I can visit my barber and get them to try and control this mess.

I know of colleagues in similar situations who are employing several additional tools to help make video calls not quite as scary. Now we’re seeing an uptake in “man bands”, kirby grips, and hairpins.

Which abruptly brings me to the point of this blog. The concept of hairpinning (aka tromboning) within computer networks is certainly not new, but it is something that has been adopted extensively in recent months as knowledge workers adapt to remote working. This means access to all your applications is through the VPN tunnel that IT hastily installed when lockdown happened, irrespective of where those applications lie. If they are within the same IT estate as the VPN endpoint, then this is not much of an issue, but invariably they are not. Many are located as SaaS, or in cloud environments such as Amazon, Azure, GCP, or other hosting environments.

Pre-lockdown this didn’t matter, as everyone was in the office. Traffic flowed out to all the additional locations over properly scoped transits and connections, allowing for secure and effective access. Unfortunately, in the current situation, that architecture didn’t take into account what would happen if no one was in the office, and they’re now all working from home. So now all the traffic has to get to the central office first, before it can egress to all the external apps. This all happens over a VPN that was designed for a degree of usage many times less than what is currently being experienced.

Sponsorships Available

The chart below shows the increase of inbound traffic into companies’ data centres since COVID-19 arrived and rewrote the book on how we work in 2020.

This marked increase creates several issues. The primary one is whether the remote access network infrastructure is designed to take large amounts of users connecting via VPN, but the amount of traffic that these users are creating needs to be sent through the single link back to the data centre. When you consider the amount of extra traffic for all those Zoom calls, it’s not surprising that some organisations are looking for a smarter way to connect users to applications. Rather than take the hairpin approach, and loop all traffic through a single location, why not use the internet to connect the users to their applications? Instead of a user in London connecting to a VPN in Germany to access an application in Ireland, why can’t they connect directly from London to Ireland? Using a cloud-based, identity-aware application broker, internal applications can be accessed securely from wherever the user is located. This is over the optimum path between the user and the application, whether it is hosted in the corporate data centre or in the cloud.

The concern — and it is absolutely valid — is that the security stack resides in the data centre, and for the company to protect its users and its data, it needs to route all requests through a centralised stack that has been optimised for the business. This works fine when everyone is in the office, but when that topology gets rewritten, the centralised security stack becomes a sea anchor, dragging all the connections to one point, sometimes hundreds if not thousands of miles away from where the actual data lies.

Ditching the hairpin will improve the end-user experience by improving performance and, where possible, enabling more BYOD (bring your own device). It will also improve the performance of the data centre with far less ingress traffic to inspect, much less risk of a single choke point, and more understanding of your application usage.