How to improve VPN performance and safety

(Image credit: Shutterstock)

The coronavirus pandemic has created an unprecedented work from home culture that in turn has significantly increased the reliance on VPN gateways.

Indeed, they have become critical business lifelines without which employees would not be able to access the key business applications that allow them to do their jobs. But the high user demand placed on VPNs leave them vulnerable to performance and safety issues.

So, how can businesses improve VPN performance and safety?

Previously, building a VPN support strategy to solve performance and access issues might simply have involved adding VPN capacity and internet link bandwidth. However, in today’s climate where VPNs are no longer an add-on but are of critical importance, this approach is just not sufficient.

IT teams now need increased access to enable rapid problem solving so that internet access is reliable and safe, and demonstrably so. Therefore, the VPN support strategy needs to enable the IT teams to prioritise essential services, rapidly analyse resource consumption, and quickly solve performance issues. 

Here are some tips for improving VPN performance issues:

Implement realistic bandwidth quotas

Remote access needs to be managed to ensure that sessions are not using excessive bandwidth and throughput. To protect against this, IT should implement sensible quotas on per-session bandwidth and throughput. For this to be effective, they will also need to ensure that termination capacity, bandwidth, and throughput can scale according to demand.

Set acceptable usage parameters

While VPNs are essential for many aspects of remote work, they are not universally required, and should certainly not be used for leisure purposes. This is especially true if you’re not using split-tunnelling [see next point].

Banning the use of VPNs for non-business uses, for example video streaming platforms and online gaming, is an obvious place to start. However, within business use, it can be less clear to employees which business applications do and do not require VPN access. Therefore, it is important that this is clearly laid out by IT and that acceptable use policies are communicated and enforced so that employees do not unknowingly increase the burden on VPNs.

Consider using split-tunnel VPNs

These can direct all internet traffic not specifically within the corporate domain through the local ISP, helping to alleviate some of the strain caused by use of VPNs.

Use the right access controls

Not all VPN concentrators have the same network policies and using the wrong access controls could cause some performance issues. For example, a generic SSL/TLS-based VPN concentrator will have different network polices than an IPSEC-based remote-access VPN concentrator. Luckily, this is easy to solve, IT teams just need to double check that the right access controls have been implemented and correct the error if not.

Make the most of geographically dispersed employee pockets

Now that most employees are working from home, a centralised remote access network infrastructure may no longer be the most effective policy. Instead, companies with geographically dispersed employee pockets should consider regionalising their remote-access infrastructure. This can help distribute internet access and intranet network loads rather than placing all demand on one source. Doing this will also add a level of extra safety by increasing resilience to attack and other potential service interruptions that may affect local pockets rather than the full network.

Use analytics tools

Network traffic can be analysed at a packet-level by using network visibility tools. These products can provide data at a universal and granular level to give teams an accurate insight into the public-facing network infrastructure. This allows accurate diagnosis of issues, better allocation of bandwidth and can draw attention to where specific services need to be built to alleviate certain issues.  

Improving VPN performance needs to go hand in hand with improving VPN safety otherwise this crucial business lifeline will still be at risk of cyberattack. Indeed, a recent joint statement from the United States Department of Homeland Security and the United Kingdom’s National Cyber Security Centre found that even the smallest distributed denial of service (DDoS) attack now poses a significant threat to bandwidth-saturated gateways. Therefore, to build a truly robust VPN support strategy, IT teams must incorporate DDoS protection into their plans from the outset.

(Image credit: Shutterstock)

Here are some tips for improving VPN safety issues:

Use software-as-a-service (SaaS)-based services

Built-in protection is the best way to ensure VPN safety, so take advantage of providers that already offer this service. Most major SaaS providers already have DDoS protection built-in to maintain the availability of their services, so use these services wherever possible. For example, for everyday business applications, content sharing, collaboration, and communications.

Follow the best current practices (BCPs)

Double checking that they are using BCPs is an easy way for IT teams to build up resilience to attack across network infrastructure, servers, and services such as DNS. A key starting point should be for IT teams to make sure that they have implemented intelligent DDoS mitigation systems to ensure protection from DDoS attacks for all public-facing servers, services, applications, data, and support infrastructure such as remote access technology.

Use dedicated internet links

Using links associated with components such as public-facing websites or DNS servers can increase the likelihood that DDoS attacks, or other such events, would prevent IT from being able to respond quickly. Therefore, it is important to use dedicated transit links for VPNs so that remote security can be as effective and unhindered as possible. 

Implement secure user access

IT teams must ensure that remote-access mechanisms are integrated with their organisation’s security systems and multi-factor authentication (MFA) technologies should be required for all user access.

Avoid an obvious DNS name

Don’t make it easy for an attacker by using the string “vpn” in DNS resource records for VPN concentrators. Instead IT teams should choose a DNS naming convention that is helpful for them, without signposting a potential attacker straight to the key functional areas.

Working from home is here to stay so it is important that businesses protect and ensure the performance of their VPN gateways to enable their employees to continue to work effectively and safely.

Hardik Modi is AVP Engineering, Threat and Mitigation Products at NETSCOUT

Hardik Modi

Hardik Modi is AVP Engineering, Threat and Mitigation Product at Netscout.

Netscout is a world leader in service assurance with application and network assurance solutions, and security assurance with advanced DDoS and Advanced Threat (AT) solutions.