NordLayer Review: A VPN for the Zero Trust Era

Many companies use Virtual Public Networks (VPNs) to connect between their remote resources and their local networks. However, many of these VPN solutions have three significant issues.

First, VPNs can be difficult to set up, secure and maintain. With any misconfiguration or mistake, the entire network may be exposed to attack.

Second, VPNs do not scale well and can become congested. These problems become particularly bad if remote users are using the VPN only to reach back out for heavy-bandwidth cloud resources such as Zoom calls or large file downloads.

Lastly, the modern IT environment has many cloud-based resources that reside outside of the network that do not require users to use VPN to access them. Users might decide to bypass the hassle of VPNs and access those cloud resources directly without any additional security protection.

Cloud-based VPN and Secure Access Service Edge (SASE) solutions such as the one offered by NordLayer provide VPN quality protection for users to access both cloud-based and local-based protection. It also offers business-friendly options for security and compliance. NordLayer is positioned as something of a zero trust solution bridging VPNs with the fine-grained access required for zero trust security.

Also read: Zero Trust: Hype vs. Reality

NordLayer: A User’s Perspective

For this review, we tested NordLayer from the user’s perspective and evaluated its performance compared to similar competitors – including its consumer version, NordVPN.

NordLayer Registration & Installation

An organization will send out an invitation to the user inviting them to download NordLayer through a link. This process is simple and easy without opportunities for confusion.

Once downloaded, the installation also proceeds quickly and with few options that could cause user uncertainty. After installation, the user needs to remember the company name, but that is also in the invitation email as a reminder.

However, the connection is not fully self-service. Even after the invitation and download, the final connection needs to be confirmed by the administrator. 

As a VPN that starts with the posture that no user or device should be trusted until proven, these kinds of additional hurdles make some sense and act as an effective security control against intercepted invitations.  However, from the user perspective it could be a hassle when the administrator does not reply promptly and prevents work from starting. 

NordLayer Use

Once confirmed by the administrator, NordLayer can fully launch and presents the available countries in which the user can connect through to establish the VPN connection. The user can also open the settings and select various options, although they may also need to check with their administrators to make sure those options are supported.

G2 reviewers also find the ease of use important:
“NordLayer gives our business the peace of mind that connecting to a VPN is easy, this is the most important benefit as some of our team can be technologically challenged, therefore the onboarding opportunity gives me the peace of mind that our work is protected 24/7,” wrote Luke C, Executive Assistant, Small business of 50 or fewer employees.

Country Access Points & Pricing

At the time of our testing, the country list includes:

  • Australia*
  • Austria*
  • Belgium*
  • Brazil**
  • Bulgaria
  • Canada*
  • Croatia
  • Czech Republic*
  • Denmark*
  • Finland*
  • France*
  • Germany*
  • Hong Kong
  • Hungary*
  • India**
  • Ireland*
  • Israel
  • Italy*
  • Japan*
  • Lithuania**
  • Mexico
  • Netherlands*
  • Norway*
  • Poland*
  • Portugal
  • Romania*
  • Serbia
  • Singapore*
  • Slovakia
  • South Africa**
  • South Korea**
  • Spain*
  • Sweden
  • Switzerland
  • Turkey
  • UAE
  • UK*
  • US*

*Dedicated Servers Available

**Only Dedicated Servers Available

NordLayer offers both shared and dedicated servers. Shared servers offer price discounts, but may not be seen as secure as dedicated servers. Dedicated servers also offer additional security features such as dedicated IP addresses, IP allowlisting (aka: whitelisting), custom domain name service (DNS), network segmentation, and more.

At this time, there are no shared server connections available in South America (closest geographical location may be Mexico) or Africa (closest access may be UAE). However, dedicated servers may be obtained in Brazil and South Africa.

Connections are also not available in the several notable large countries: Bangladesh, mainland China (only Hong Kong), Iran, Pakistan, and Russia. However, all of these countries have very strict regulations which may prevent NordLayer from realistically operating in those countries at this time.

Listed pricing starts as low as $7 per month for the basic tier of service that includes only shared servers (billed annually) and up to $11 per month for the advanced tier of service when billed on an annual basis. Custom solutions are also available but pricing can only be obtained through consultation with the NordLayer team. These prices are higher than those for the NordVPN consumer product, as should be expected for the high level of security control offered.

NordLayer User Options

The setting options include:

  • General
    • Launch app at login (checked by default)
    • ThreatBlock
    • Kill Switch (checked by default)
    • Status Notifications (checked by default
  • Auto-connect
    • When app launches
    • Connect when using untrusted Wi-Fi (checked by default)
    • Auto-connect to: (drop down option for country servers)
    • Trusted Wi-Fi networks (user can populate this information)
  • VPN Protocol Selection (can only select one)
    • Automatic (recommended and checked by default)
    • IKEv2
    • OpenVPN (UDP)
    • OpenVPN (TCP)
    • NordLynx
  • Account
    • Enable two-factor authentication
    • Account information (user, company)
  • Get Help (access NordLayer web page to request help desk assistance via email)

Many of these options are self explanatory, but we’ll go into detail on the ones that are not.

  • Enable two-factor authentication – Allows the corporation to require, or the user to choose, additional security through two factor authentication. NordLayer supports authentication apps (Google, Authy, etc.) or SMS authentication.
  • Kill Switch – VPN disruptions can cause data traffic exposure so NordLayer (and NordVPN) uses Kill Switch features built into iOS, Android, and Windows to cease application communication in the event of disruption. Whether the app terminates or merely pauses depends upon the operating system.
  • Status Notifications = displays a notification in the event of a VPN connection status change (usually disconnection).
  • ThreatBlock- If enabled, NordLayer will block harmful websites, pop-up ads, auto-play ads, and other possible threats. Harmful websites have been determined by reputation (associated with illegal activity) or because they appear to be insecure.
  • VPN Protocol Selection – NordLayer supports four distinct options for the VPN protocol used for communication. Users are recommended to keep the protocol on “Automatic,” but some administrators may require a different option.
    • NordLynx (UDP, proprietary) – proprietary light-weight VPN protocol based upon the open-source WireGuard VPN protocol
      • With only 4,000 lines of code, the protocol is easier to check for vulnerabilities and can decrease the impact on the VPN communication speeds.
      • WireGuard does not support insecure key exchanges or obsolete algorithms for hashing or encryption.
      • Shown to be more than 50% faster than OpenVPN.
    • IKEv2 (UDP)
      • Only can use UDP ports 50, 500 and 4500
      • Developed by Cisco and Microsoft 
      • Native support from Windows 7+, macOS 10.11+
      • Generally slower than NordLynx
    • OpenVPN (TCP/UDP)
      • More flexible code, but tends to be slower
      • Can run on UDP for higher speeds, but may suffer dropped packets
      • Can run on TCP for more reliable connections that do not drop packets, but this protocol can slow down communication speeds.

Also read: WireGuard vs. OpenVPN: Comparing Top VPN Protocols

VPN User Experience

As a user, NordLayer connects with minimal hassle. It launches automatically and countries can be selected with a single click.

Unlike consumer VPNs, NordLayer does not provide as many options for connections within a country or the option to connect to the fastest server. However, this is appropriate for a corporate VPN in which some users may not be technical.

YouTube Test

One test was performed by checking playback speeds on YouTube. For this exercise, we logged into servers in the US, Singapore, Slovakia, and Australia. NordLayer switched easily between servers and loaded the local YouTube quickly and easily. There was no noticeable delay or effect on Youtube video play with any connection.

NordLayer’s Back End Security Controls

With only basic user-level access, we could not test the features of NordLayer that simplify the life of an IT manager or IT security manager. However, these very features are the selling points for NordLayer over more simplified remote VPN solutions such as NordVPN.

To understand why organizations might select NordLayer, they must also consider the solution’s features regarding:

  • Easy Operations
  • SASE 
  • Turn-Key Security

However, these are invisible to the end user and would only be possible to test for a company with IT infrastructure that needs to integrate with, or be replaced by, NordLayer’s solutions.

Easy Operations

As companies grow larger, management of spread out resources becomes increasingly difficult. Managing transitions of workers to remote access or knitting together the legacy technology of subsidiaries or acquisitions complicate matters even more.

NordLayer creates a centralized access and networking platform that can replace legacy technology or integrate with existing technology with equal ease. IT managers have a single easy-to-use control panel for billing and automated user management with unlimited scale.

NordLayer’s flexibility permits license transfers and integrates with multiple network vendors simultaneously. While we could not directly test these features, we did obtain user testimonials from G2 such as:

“The ability to so easily install and run NordLayer is amazing. Also, the ease of being able to manage, create, and remove accounts is great for our use,” wrote Alex V, IT Manager of a mid-market company of 51-1000 employees.

“Our company decided to switch our corporate VPN solution to NordLayer after permitting employees to work remotely. Easier to manage and maintain than our previous Cisco VPN solution,” said an administrator in Information Technology & Services for a small business of 50 or fewer employees.

SASE

Many employees now work remotely in unsecured networks at home, in hotels, or in coffee shops. Many company resources now exist outside of the corporate network in public clouds or through Software-as-a-Service providers.

Adopting Secure Access Service Edge (SASE) technology permits a company to create a secure connection for many different endpoints and data sources. The SASE features of NordLayer provide functions for:

Zero Trust

Zero Trust requires constant verification of users and devices to access applications and data. Zero Trust assumes that users and devices may be compromised, so there is no trusted user, location, or device in the Zero Trust framework.

Zero Trust is achieved using four main areas of control: Identity and Access Management (IAM), Network Access Control (NAC), Network Segmentation, and Network Security. If any of these four layers of security fails, the connection will not be permitted.

In more detail, NordLayer IAM verifies all user identities and checks the device used for access each time a new network session is established. NordLayer NAC verifies that users, devices, and applications conform to required security policies to establish a network connection.

NordLayer network security and network segmentation is accomplished using Software Defined Wide Area Networks (SD-WANs) and uses powerful encryption and proprietary tools to inspect network traffic to detect and block attacks.

Firewall as a Service (FWaaS)

Firewalls block unauthorized traffic from what lies behind them, typically local networks, individual computers, or applications. FWaaS creates a cloud-based firewall that inspects all traffic attempting to access the software defined network. NordLayer’s FWaaS should sit between all corporate assets, both cloud and local, as a layer of defense for all assets.

Cloud Access Service Broker (CASB)

CASB services monitor all activity and enforce security policies between cloud service users and cloud applications. To deliver CASB services, NordLayer uses IAM and NAC described in more detail under Zero Trust above for all users that connect through NordLayer.

To avoid users bypassing NordLayer to access cloud resources, some companies will implement single-sign-on (SSO) so that users don’t have passwords and must connect through corporate resources to access cloud resources. Similar restrictions can be made through IP address white listing (using NordLayer assigned IP addresses) as a factor of authentication for cloud resource access.

Secure Web Gateway (SWG)

SWGs enforce compliance policies for the organization. NordLayer’s application control and data loss prevention (DLP) capabilities filter unwanted traffic, enforce network segmentation, and can check for endpoints that do not satisfy company policy such as jail-broken phones.

Endpoint Security

NordLayer provides endpoint security through threat-block malware protection and DNS filtering in the provided secure connection. In other words, during a connection, NordLayer continuously scans and blocks known malware and known malicious websites.

Software Defined Wide Area Network (SD-WAN)

NordLayer allows for highly detailed segmentation of the hosted network and can grant the minimum required access to each user.

Turn-Key Security

In addition to the SASE features, NordLayer also provides easy integration and access for advanced authentication, encrypted communication, and dedicated servers. These features can inherently provide advanced security options for even the smallest organizations.

Advanced Authentication

Compromised credentials pose a great threat to all organizations. NordLayer provides options to improve security with two-factor authentication (2FA) and single-sign-on (SSO) authentication options.

In addition to basic SMS and app-based 2FA, NordLayer supports Biometric authentication and ISP address whitelisting (see Dedicated Servers, below). Nordlayer also supports SSO for Azure AD, OneLogin, Okta, and GSuite.

SSO can be extremely useful to protect SaaS services because administrators can set up credentials through SSO that users will never know. There will be no credentials to lose and users cannot log into the SaaS resources without going through the secure VPN access.

Encrypted Communication

A key defense against hackers is to encrypt all communication. NordLayer automatically provides AES 256-bit traffic encryption for all connections.

NordLayer also has options for Site-to-Site Tunneling for secure point-to-point access to internal company resources. Customers can also set up Smart Access to create virtual LAN between designated company devices and servers.

Customers on G2.com note:

“Nordlayer allows us to grant remote access to both our corporate network and our client’s networks via the gateway IP address, while leaving us and our clients safe in the knowledge that our traffic is being securely handled,” said an Administrator in Computer Software for a mid-market company of 51-1000 employees.

Dedicated Servers

While not needed for all customers, dedicated servers can provide additional security controls such as static IPs and IP Whitelisting. This IP control provides several benefits to IT managers.

  • SaaS setup can require communication from a static IP address as part of a multi-factor authentication requirement. Stolen credentials used from other IP addresses cannot be used.
  • Companies can set up static IP addresses for partners and customers for their security. Employees can still connect from remote and variable IP addresses through NordVPN without causing connection issues.
  • Static IP addresses can be used to establish secure network connections and microsegmentation between key assets (file servers, payment databases, etc.) and the access gateway
  • IP Whitelisting can set up secure connections for additional security for connections with partners, application servers, etc.

“I am able to get a dedicated IP for white-listing and protect my employee traffic for remote workers. It does a fabulous job at this (unless people turn it off). The quick onboarding experience is a huge benefit. It’s as easy as inviting them and they install the app and they’re done!” said an Administrator in Health, Wellness & Fitness for a small business of 50 or fewer employees.

NordLayer Target Customer

Who can benefit from NordLayer’s solution? Organizations that need:

  • Low-cost, simple solutions for remote connections
  • High-level security
  • Hybrid Workplace blending local and cloud resources, on-site and remote workers
  • Outsourced infrastructure
  • Quick setup and deployment
  • To quickly replace incompatible mixes of legacy infrastructure

NordLayer notes that the average time to deploy their solution can be as little as 10 minutes and over 5,500 businesses currently use NordLayer. The basic shared server option allows for the smallest companies to be up and running quickly.

The higher levels of access and the option for dedicated servers ensure that companies can easily grow with NordLayer and that larger organizations can also benefit from NordLayer. The customized security and cloud-based nature provide scalability for the largest enterprises with highly specific needs.

A More Secure VPN

Employees from organizations of all kinds increasingly seek to work remotely even as the assets of the organization migrate to cloud resources outside of the corporate network. To secure both the end users and these cloud resources, organizations need to deploy a cloud-based resource that encompasses all communication with secure encryption.

NordLayer provides many advanced features to provide a wide range of security options to satisfy the security needs of many diverse organizations. While many of these benefits can be used by knitting together in-house solutions and other SaaS provider solutions, to do so greatly increases the complexity and the time needed for deployment and introduces many possible security gaps.

Adopting NordLayer makes it easy and operationally efficient to adopt improved security. Users typically won’t notice any difference even as IT administrators greatly reduce their headaches. Organizations seeking to improve their security and control over dispersed IT infrastructure should include NordLayer in their short list for evaluation.

Read next: Best Enterprise Network Security Tools & Solutions

Chad Kime
Chad Kime
Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Top Products

Related articles