A well-managed virtual private network (VPN) is an essential part of most IT security plans, but striking a balance between accessibility and speed sets strong VPN deployments ahead of the pack. We have consulted
Underprovisioning against network usage growth
While IT managers can typically estimate how many users they will handle on a day-to-day basis, they often have trouble accounting for the rapid bursts of VPN usage that occur when Mother Nature forces users to work from home.
"Weather issues are a common source of activity bursts," noted Jeremy Filliben, a senior IT architect, in an e-mail interview. It's not uncommon for winter snowstorms to spike the number of remote workers, often maxing out available bandwidth, hardware or even licenses.
"Corporate VPNs need to be sized to handle worst-case scenarios," Filliben said. "But it can be costly to plan for a significant number of simultaneous users if it is common to have only a tiny fraction using it at once." One solution is to have solid plans in place for what to do with a sudden spike in remote workers, including deciding who gets priority access, and who can work without access to corporate networks until normalcy returns.
Less sudden but no less disruptive are when VPNs are a victim of their own success: Either the company outgrows expectations, leading to unexpected hardware and bandwidth upgrades, or individual users start using the VPN more heavily. Either can send planners back to the whiteboard to keep a strong VPN up and running.
"I think most organizations plan appropriately for the number of users they expect once the project is executed, but growth in user count and bandwidth requirements per user grow faster than most organizations anticipate," Filliben said.
Split tunneling towards a faster future
Another common culprit in laggy access is content that does not necessarily belong on the VPN.
"I think the biggest areas in terms of congestion are what the user is trying to do," said Rohit Mehra, an analyst with IDC. "If you're trying to download a rich media application or a streaming video, that's still relatively cumbersome when you do that for VPN."
While bandwidth is less of a problem these days than it has been historically, being selective about what rides over corporate networks -- and what goes out onto the open Internet -- can provide a sizable performance boost, Mehra said. This method of diverting non-sensitive traffic off the VPN while leaving proprietary data on it is called split tunneling,
"We're able to set it up so that port 80 traffic stays local, outside of the VPN," said Steve Alessia, systems engineer at Lettuce Entertain You Enterprises. Before Alessia switched the restaurant chain's VPN settings, streaming Internet radio or video would often choke the network.
A recent upgrade from a software-based VPN to SonicWALL's hardware-based option, however, made it easier to partition traffic, making issues with streaming media a thing of the past.
While useful for conserving VPN bandwidth, split tunneling comes at a price.
"There are potential security risks to this, as the end user has direct access to the Internet and direct access to the corporate network at the same time," noted Filliben. "That said, more corporate IT resources are being moved directly into the Internet, so this is a valid option."
But even internal traffic can cause cross-congestion if not managed right.
"I've also seen VPN issues at organizations that use shared Internet connections at their data centers," Filliben said. "I am expecting to hear more as the Olympics take off, where corporate LAN users stream video using the same Internet connections as the corporate VPN."
Wrong solution for the problem
Choosing the wrong tool for the job -- and in some cases, fighting the last generation of WAN battles -- can also undermine a strong VPN
"You have to really look at the use case on what you're trying to accomplish before you decide what VPN technology to implement," said Mehra, noting that VPN technology is a broad and varied field.
Network engineers often tout IPsec VPNs for their powerful compression algorithms, which can help conserve bandwidth in situations with low throughput.
"High-speed Internet today doesn't really require compression anymore," said Rainer Enders, chief technology officer of NCP Engineering, an SSL-based VPN vendor. "Compression was good when there were slow lines, but it's counterproductive to throughput and can increase latency today."
He warned that the wrong techniques can actually hurt throughput as hardware is tied up decompressing, leaving VPN throughput dependent on CPU cycles rather than the high-speed pipes that tie together much of modern IT infrastructure.
For a strong VPN solution, network engineers need to study the pros and cons of various solutions and make sure that they invest in technology that will address the problems of tomorrow, not yesterday.
Even a strong VPN can stumble on shady endpoints
"A challenge to VPN performance for home users (or at Starbucks-type locations) is shared usage of the local Internet connection," wrote Filliben. "If the kids are in their rooms streaming Netflix and playing bandwidth intensive games, VPN performance could suffer."
These problems are magnified for VPN users on the road: Some hotels and airports, for example, block off VPN access entirely, or else offer highly unreliable connection speeds.
Even branch offices are not immune to the impact of somewhat shady connections.
"A lot of carrier companies haven't jumped on not comingling commercial and consumer Internet," warned Alessia. "RCN [Telecommunications] has done a good job at this, connecting business directly to their backbone so they can clean up some of the viruses that slow down connections."
But other providers are not so scrupulous, meaning a gaggle of teens torrenting the latest "Twilight" saga might interfere with remote training operations held in a field office in the same neighborhood.
The best solution is to read contracts and establish acceptable risks, understanding that, when it comes to free or consumer connections, you get what you pay for, or sometimes even slightly less.
Not all traffic is created equal
Different types of traffic, traveling over the same VPN setup, might be perceived as having vastly different qualities of connection. Voice traffic, for example, is highly sensitive to any latency, while video downloads are less latency sensitive but can require more bandwidth.
"Latency and jitter impact the quality of voice, so you need to pay attention to the kind of VPN you're deploying," said Mehra. He also noted that an influx of corporate video, while great at potentially cutting travel and training costs, could trip up other types of traffic, a problem he predicted will become more common over the next few years.
"Video is becoming a bigger resource in terms of marketing and training," he said. "With corporate networks, it's still small, but the trend line is still very, very telling."
Fortunately, a strong VPN strategy can help IT departments have their cake and eat it, too. Lettuce Entertain You, for example, prioritizes traffic based on port: While port 80 goes out to the open Internet, business-critical Telnet traffic is given a boost above corporate file transfers, which are given priority over restaurants that take the lowest rung in terms of VPN quality of service.
In that mix, Alessia said VoIP traffic could also be high-prioritized when needed to ensure jitter-free calling.
"Sonicwall has protocols built into their tunnels to support SIP or VOIP prioritization as well," he noted.