The shift to remote work is making it ever more urgent for the businesses to make their back-office applications accessible via the Internet. Many of those applications were with a completely different security model in mind and don’t have adequate protections in place. And even those that do, require significant investment in continuous maintenance of their security. Answering these challenges can be a heavy extra load to carry for smaller businesses.

One of the quickest and most economical solutions is to add an extra protection layer in the form of IP address-based access restriction so that threat actors couldn’t even discover the application or probe it for vulnerabilities. However, in modern environments with dynamic IP addresses and users moving between networks multiple times a day this quickly becomes unmanageable.

Enter ZenVPN. With ZenVPN the employees can connect to backend systems via a single dedicated IP address that can be easily white-listed once and for all. Meanwhile they can travel, change networks and devices but as long as they can authenticate with ZenVPN and as long as they are authorized by the organization, they’ll retain access to the back-office applications. The authorization is managed via a convenient web interface separate from IP whitelists in lower-level systems configurations which can remain static.

Contrast this with the traditional approach of keeping all the applications inside a secure perimeter and allowing remote users in via a VPN. In the latter case a breach of a user's device leaves the entire network vulnerable as an attacker would be free to roam inside the perimeter unchecked. When using IP whitelisting (+ZenVPN) only specific traffic to specific applications is allowed inside the secure perimeter so an end-user device breach doesn’t open any additional attack opportunities.

Security and cost comparison

Let's compare costs, security and convenience of the above-mentioned approaches. The first one is keeping the applications accessible only on corporate network and allowing remote employees in via VPN. We'll call this "Secure perimeter". The second one (referred to as "Plain zero-trust" below) is exposing individual application(s) via the public network while authenticating every request. Finally, the same approach but with additional IP-based access restriction employing ZenVPN will be referred to as "Zero-trust + IP restriction".

Hover over individual items items on the graph to see a more detailed explanation.

- cost items
- security concerns
- user convenience concerns
VPN solution
Device security
Since an employee device breach bears potentially catastrophic consequences for the business, a significant investment into protecting device security is required.
Lateral movement attacks
If an attacker compromises one of your applications or employee devices they immediately gain access to your entire network. This is known as lateral movement attack and is the reason the industry is shifting to zero-trust security architectures.
Network speed degradation
As all of the employees' traffic is routed via the the company's network, they will experience extra latency when accessing any services outside the employer's network.
Triggering geo-restrictions in third-party services
Since in this scenario the employees are accessing all third-party services with a company IP address instead of their own, this may trigger unexpected geo-restrictions and security checks.
Privacy concerns
In a remote-first workplace, employees and especially contractors can have privacy concerns with sending all of their traffic via their employer/client network.
Comprehensive application security revision
An application that looks into the Internet and authenticates every request requires radically different security design than the one that sits inside a secure perimeter and only ever has to deal with pre-authenticated agents. Although designing applications for zero-trust security architecture definitely pays in the long run, converting legacy applications designed for secure perimeter requires a comprehensive audit and significant investment in rework.
Continuous application security maintenance
In the recent years the security community has seen multiple major zero-day platform vulnerabilities that could be exploited even by unauthenticated users. Therefore, for any application available via the public network it's critical to keep the platform and dependency up-to-date with the most recent security fixes. Therefore, employing permanent security staff is a must.
Platform vulnerabilities
The overwhelming majority of code supporting any modern application comes from the underlying platform(s) and other dependencies. A vulnerability found in the platform or dependency is a vulnerability in the application. Because the potential reward is high the amount of work invested by threat actors in finding platform vulnerabilities is gigantic, therefore you can expect vulnerabilities to be continuously discovered in your stack.
ZenVPN subscription
One-time setup
Setting up an IP-based access restriction is a fairly easy task with most platforms that requires on the order of 1 hour of sysadmin work.
Secure perimeter
Plain zero-trust
Zero-trust + IP restriction

As the visualization above demonstrates, using IP-address-based access restriction together with ZenVPN can be an effective solution to providing remote employees access to back-end application that provides reasonably tight security while easily fitting into small business budget restrictions.

Case studies

Deploy IP-based access control for your applications with ZenVPN

Setting this scheme up is easy as a breathe with ZenVPN. And for the more technical parts of the process our customer support team will be there for you.

  • 1. Sign up for a ZenVPN account

    Create an account and pick a subscription plan.

  • 2. Invite your team members

    Create a team in your ZenVPN account and invite your colleagues by email addresses.

  • 3. Allocate a dedicated server

    Pick a datacenter and spin your dedicated VPN server. We'll have it ready in under 5 minutes.

  • 4. Implement IP-based whitelisting in your systems

    Restrict access to your applications to the IP address you've gotten in the previous step. We offer plugins for many popular platforms to make this easier yet.

Not ready yet? Book a demo!