Networking

How to Make Sure Your VPN Can Handle the Work-from-Home Workload

Ensure that employees have a steady connection with these easy tips.

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

Telework is not an unusual practice for government workers; many federal employees have arrangements to work from home on a regular basis, and many more do it in short-term emergency situations such as bad weather days.

During those times, when a relatively small number of employees are working from home for a day or two at a time, an agency’s VPN performance is probably fine. But when employees find themselves working from home for longer periods of time and their numbers increase beyond usual, VPNs may struggle to handle the load and may not be capable of supporting processing and network usage for so many people at once. This can cause significant slowdowns and can prevent some users from even connecting to the VPN.

A solid connection is vital to remote workers, who are using equipment from a variety of sources — agency-issued laptops or their own computers — to access government computing resources, such as email, calendars and other applications, as well as files, databases and more.

VPNs, the traditional security solution for remote access, are a critical tool. Try these best practices to ensure that a VPN can adequately support a workforce during times of peak demand.

Improve the Basic VPN Infrastructure

The obvious way to handle greater VPN usage is to increase the capacity of the VPN infrastructure itself. There are several ways to do this (and some can be used simultaneously).

Increase network bandwidth for the VPN servers. This usually means ensuring the path between the internet and each VPN server has enough bandwidth, but in some cases, there may also be a need to increase the bandwidth between the VPN servers and the agency resources being accessed from the VPN.
Deploy additional VPN servers. This not only adds sheer capacity, but it can also improve VPN availability, especially if the servers are deployed to multiple locations. By implementing load balancing, an agency will have a more flexible and resilient VPN infrastructure, one that can transparently send users to the server best able at the time to meet their needs.
Be proactive with VPN server management and security. Make sure to maintain the servers well — for example, keep them fully patched. This reduces the risk of compromise and removes flaws in the VPN software that could impair VPN server performance.

Another proactive step is to use distributed denial of service protection measures so that VPN servers and the networks they use can’t be overwhelmed by attackers.

Separate Traffic Flows to Ease VPN Flow

Some network distancing can also ease the flow of traffic. For decades, VPN best practice has been to avoid split tunneling — dividing a user’s network traffic so the portion relying on the agency’s resources goes through the user’s VPN connection, while the rest of the user’s traffic bypasses the VPN.

Split tunneling was considered too risky because an attacker could abuse it to pass traffic across networks through the less secure device. But most network traffic today is now encrypted, and many devices often use two networks at once (for example, Wi-Fi and a cellular network). So, this risk has been reevaluated, and more organizations are enabling split tunneling.

#FedIT leaders: Which infrastructure or support solutions have you invested in the most to enable #telework?

— FedTech Magazine (@FedTechMagazine) May 19, 2020

This can significantly improve performance for users and also greatly decrease the volume of network traffic passing through the VPN. For example, users’ laptops can download large operating system updates directly from vendors instead of passing all those updates through the agency’s VPN infrastructure.

Change Work Patterns to Balance Out VPN Load

Sometimes, relatively simple changes to how people work and the processes they follow can make a big difference in a VPN’s performance. A basic example is staggering work hours so that not everyone in the agency is trying to access the VPN at the same time each morning.

Another example: Have people working from home do certain tasks locally rather than doing them over the agency’s internal networks, as they would if they were in the office. Instead of remotely editing a large document over the VPN, a user could download it, edit it locally then upload it once it’s complete. That should take far fewer VPN resources than using the VPN all day while editing the file.

Of course, VPN architects and administrators don’t usually have the authority to implement changes in how an agency’s employees do their work. But what they are uniquely qualified to do is monitor the VPN’s usage and look for patterns that indicate bottlenecks, excessive resource consumption and other potential problems.

By analyzing those patterns, VPN experts can provide insights to management about what the problems are and how they might be resolved, such as reconfiguring a video-based service to temporarily provide lower-quality video, thus reducing how much network traffic the service uses.

LEARN MORE: CDW can help agencies meet telework-related challenges.

How to Handle Sensitive Information

Some agency users routinely handle highly sensitive information, and unexpected telework means they have to be able to remotely access that information from home, increasing the risk of compromise.

Agencies can take the following VPN-specific steps to safeguard these work-from-home arrangements:

Have a separate VPN for these users. Allow access to the highly sensitive information from this VPN only, and allow only authenticated, agency-issued devices to access the VPN.
Require multifactor authentication for VPN users. This reduces the chance of credentials being used to gain unauthorized access to sensitive information.
Consider disabling split tunneling. This increases network traffic volume on the VPN, but also gives the agency better visibility into network activity.

Employees’ Personal Networks Must Be Able to Handle the Work-from-Home Load

The office VPN may be ready to handle the load of all staff members working from home, but the employees’ own home networks might not be. Agencies have to take that limitation into consideration as well.

“Think of it as an extended branch office,” suggest Robert Herriage and Sven Rasmussen, who work on enterprise networking for CDW. Agencies must make sure that their employees “have adequate bandwidth and performance on their home internet to support your organization’s productivity suite.”

Know the requirements for voice, video or other performance-heavy applications, especially the bandwidth needed to run them cleanly; this information can be found in the product data sheets.

Herriage and Rasmussen also point out in a CDW Solutions Blog post that home internet connections often have bandwidth restrictions. “You’ll need to consider how you want to handle those restrictions so they do not impact your users financially,” they write. “Will you reimburse overages? Will you supply a cellular hotspot for your users? … There is no right answer, but these things do need to be considered.”

Finally, help staffers figure out how their own home internet connections perform. They may have to download a speed test on their devices and provide the data to the IT department, which can then determine which workers need the most help to get the best connection.

Read Herriage and Rasmussen’s full advice on the CDW Solutions Blog.

Wenjie Dong/Getty Images