If you’re not certain if you need a virtual private network (VPN), or how you’d go about setting one up, that’s okay. Those three little letters represent a minefield around terminology, compatibility, even legality: ask the younger generation what VPNs are for and they’ll think of anonymous, untraceable access to the shadier corners of the internet. Or, they might picture hackers and ransom-demanding pirates taking control of their victims’ machines.
Those bad people are using a VPN, since technically the term can mean any encrypted, encapsulated link from one Internet address to another. That says nothing about what it’s used for, what it can or can’t do, who owns it or whether it’s even working. What attracts the bad guys to such technology is the fact that no-one can peer into the data that moves inside those encrypted packets – although the source and destination addresses aren’t encrypted, so it’s always going to be apparent that a link is active. This is why business VPN solutions generally offer extensive security features: the value of the proposition lies in its impenetrability.
Unfortunately, as a result, the marketing spiel can lean towards impressive-sounding gobbledegook, intended to bamboozle senior management types simply looking for “the most secure VPN we can buy.” If you want to make the right choice, you need to start by understanding what’s possible. Then you can choose a way to do it – and stay on top of the accompanying security obligations.
The benefits of a VPN
The most important benefit of a VPN is that it cuts your internal security problems down to size. Recently, embarrassingly so, there was a time when a Windows network could be constructed over global, public IP addresses, and many early design documents and even practical implementations made use of this configuration. Quickly, it became clear how inadvisable this was: even now, the interval between opening up an unsecured machine to the internet and its being compromised is typically measured in minutes.
A VPN can help here in two ways. First, you can shut off malicious connections entirely if you make a blanket rule only to accept VPN traffic. Second, you can close off the most prevalent exploits by using a border device that doesn’t run Windows. Adopting these two simple measures is much less onerous than having to keep on top of patches and threats to your entire Windows ecosystem.
This isn’t to say that Windows makes a bad entry point for a VPN, or even a bad firewall. But it tends to be best used as part of a multi-device design, with firewalls, routers and SSL concentrators all playing their part in filtering, directing and brokering the traffic before it gets to the server. And there’s certainly no need to use it for regular VPN duties: one thing that’s moved forward in this field over the last half-decade is the burgeoning variety of ways you can land a VPN. Let’s not get bogged down in the technology, however, but look at this from a business perspective.
The most common way to deploy a VPN in a small business is via a slightly smart router, with some small-scale features to support roaming Windows and Apple software clients. This kind of system will do the basic job, but it’s likely to be using L2TP/IPsec for tunneling and encryption, which often has a painful effect on internet performance as the router struggles to do all the required processing.
It’s also not guaranteed to keep up with changes in the environment. Many organizations relying on a setup like this have recently hit unexpected problems, thanks to changes in the VPN client in Windows 10. On paper, these promise more versatility and better security, but old routers have been left out, and the recommended solution has often been simply to go out and buy a new one. To be fair, it’s difficult to blame manufacturers alone, because communication on Microsoft’s part has been woeful, too. If you can’t make your VPN work on Windows 10, not only are you unlikely to get a clear explanation as to why, you’ll also look in vain for reassurance that whatever solution you come up with won’t be borked in an update.
Even if your router-based VPN is nominally working, many businesses experience intermittent service (and hence high levels of user irritation) because the kit has to work hard and doesn’t tend to cope well with issues. It’s not easy to run tests on a router that can’t reliably tell you when you need a hard reboot – especially when your whole organization is relying on it for connectivity.
One solution is to move your VPN services into the cloud, rather than keeping them inside a box with some LEDs on it. However, if you’re only dealing with a dozen clients, this may well be overkill. Businesses tend to assume it’s the necessary next step when their low-cost router starts to struggle, when in fact stepping up to a slightly more capable local appliance could solve their problems much more cheaply.
Mature mid-sized businesses
Larger organizations are more likely to have specialist IT staff – guys who’ve been doing remote access since the days of the whistly-noise modem and character-based terminal. For them, VPN is the latest faddy way to do it, and they’re happy to jump onboard.
But this presents risks of its own. These guys tend to be early adopters, which might be fine for them but can imply a steep learning curve for everybody else. They’re also likely to want to set things up just so. This can lead to situations where changing anything at all – inside the LAN, outside it, with hardware, software, supplier or anything else – has unexpected consequences. A single cable popping loose might result in two routers both advertising as the single authoritative endpoint, causing security errors and leaving users locked out. Tracing the trail of cause and effect in a lovingly designed VPN can be agonizing.
Let’s not panic too much, though. Such situations are rare and high-end architecture can deliver legendary levels of reliability, especially when the people connecting to the VPN are doing so in consistent ways, from their homes or branch offices. It’s when things are more chaotic and unpredictable that issues arise. Which brings us neatly to the cloud.
Modern cloud-based ventures
If you’ve managed to cast off the traditional shackles of information technology, then good for you. But when your assets and services are all up in the cloud, the demand for secure access doesn’t just evaporate: it becomes ubiquitous.
Accordingly, both Amazon and Microsoft prefer you to present your entire pool of client machines, tablets and phones in a privately connected way. This can go as far as setting up a dedicated, and very physical, fast link between you and their nearest cloud-access point. Whether you go that far or not, both of the providers use a popular VPN technique, namely connecting over Secure Sockets Layer (SSL).
Most people are familiar with SSL in the form of HTTPS, which provides secure access to web services, but that’s by no means all it can do. Transporting data through a secure pipe between your browser and a website is functionally indistinguishable from a regular VPN workload – and, while many ISPs and public hotspots will block unusual connection types, they can’t block SSL, as this would make most of the web inaccessible. It’s not a coincidence that firewall vendors charge extra for SSL connections, controlling how many VPN users you can have operating simultaneously.
Passing your VPN traffic over SSL ought to be a no-brainer, especially if your business transacts a lot with the cloud. Unfortunately, it comes with an extra level of complexity to deal with, in the form of SSL certificates. These require renewing biannually and come with their own classes of phishing attack, malware and spam. You’ll even have to contend with competing certificate issuers engaging in dodgy customer-capturing strategies.
Once you’re in a cloud-centric business, it’s very likely that all of this grief will come to visit anyway. All the same, you’ll need to take a step back and evaluate how to manage the risks associated with relying on certificates. In theory, it should be fairly simple, but failures can be protracted and fantastically disruptive: being cut off from your entire computing resource is something that modern cloud businesses don’t fire-drill for enough.
Another potential pitfall for heavily cloud-connected businesses is not paying enough attention to local infrastructure. A typical issue that might arise is a router wanting to do its own thing with SSL packets, rather than loading up the certificate that’s been issued. It may not be easy (or possible) to resolve the problem, short of throwing the router in the bin and replacing it with a more expensive, better-behaved model.
VPNs and the distributed business
The stereotypical use case for a VPN involves executives traveling around the world with their laptops, but this isn’t how most people work in daily life. In many cases, it’s about working from home, while maintaining reliable, secure access to professional-grade resources. These can include videoconferencing facilities: I’ve even seen bedrooms with one corner painted in the company standard hue, along with a company standard desk, printer, wired phone and desktop PC, all transported from the mothership.
This sort of environment is what the big firewall companies make small firewalls for. Rather than messing with distributed traffic gateways and the challenges of remote support, it’s far easier to look at the lifecycle costs of setting up proper little IP subnets at each home office, each one supporting whichever devices the job requires.
Ensuring that an arrangement such as this is properly fault-tolerant isn’t a trivial matter. There are pressures from all sides. Plenty of ISPs will offer something like this as a turnkey solution – but they’ll run it over their own wires, rather than over the public internet. This means users can’t plug into their home router and go, and you’re stuck with the provider’s timetable for maintenance operations, which can be in the order of weeks rather than days.
And what if the line goes down? You can get routers with 4G SIM cards, to keep an internet connection going if the main line is lost, but there’s absolutely no way to guarantee performance. Apart from anything else, your teleworking neighbors may well be in the same boat and hitting the same cell. No wonder distributed businesses are becoming increasingly interested in the new wave of collaborative productivity platforms, which are usually presented via web browsers and can be used over any consumer-grade connection.
A few final caveats: remote access can be tricky to manage if you have a high staff turnover. Very few distributed VPN services are responsive enough to disconnect a departing staff member in the time it takes them to leave the office and drive home. Another issue is whether the local council approves of turning an employee’s home into their regular place of work: there have been cases of two-up two-downs being re-rated as business premises, with all the associated tax implications.
Cloud VPN providers
As mentioned, there’s no technical need to invest in a full physical VPN hardware solution. Cloud VPN services let all your clients connect (via the provider’s endpoint software) through a hosted server, which then connects to your central resources.
One big advantage of these services is that they’re normally very prompt with fault rectification, since they do nothing else all day. They can also be much simpler to manage for an uncomplicated business setup – but you may hit conflicts if you’re signed up with a big cloud provider that requires you to use its VPN to access your hosted resources.
Another disadvantage is that several of them only do IPsec and not SSL, so you can’t rely on being able to connect from any old café or hotel lobby. This can cramp the style of a mobile workforce: thinking about the peripatetic nature of PC Pro’s editorial team, I doubt I’d survive recommending they use a cloud VPN product that couldn’t do SSL …
Depending on your needs, a classical VPN might not be the only, or best, solution. One alternative is remote desktop access, via services such as GoToMyPC, TeamViewer and LogMeIn. These products appeal to managers who fear the complexity and costs of a full VPN, and they tick the key boxes: the traffic between the controller and the controlled PC is encrypted, and you can normally connect from anywhere.
But if you want to take this route, there are some significant issues to consider. Offering a convenient gateway for users to connect to a machine inside your company’s firewall necessarily means opening up the same opportunity to unscrupulous hackers. Some businesses address this by sending their remote-control traffic over their VPN, just to make you think about that combination. What’s more, while the costs may seem low at first, the licensing structure can quickly become restrictive and expensive. Some of the product-support remote-control apps come in at $2,000 per year per starting license, which may quickly turn you back onto more traditional VPN solutions.
Another idea that could, in theory, replace a conventional VPN service is taking advantage of IPv6 to open a secure connection directly to any internet-accessible device. I’ve seen Microsoft staff do this in meetings: if they’ve left a relevant file on their desktop PC back in Redmond, they simply pop open an IPv6 Teredo tunnel, from wherever in the world they happen to be at the time, and grab it.
This shouldn’t be taken as a recommendation, however, not least because I honestly have no idea what sort of defenses Microsoft has at the edges of its IPv6 network. I suspect that its security resources are formidable indeed, and the number of companies who can match them is evidently small, because I seldom see anyone else even trying to dip a toe in the water.
Indeed, although IPv6 was originally envisaged as a general-purpose transport for connecting any two devices in the universe, there’s a whole range of alternatives out there, including completely private protocols, such as those underpinning Amazon’s services. Rather than becoming the universal transport, IPv6 may end up being an ancestor of the eventual winner – which isn’t at all clear right now, and may not even exist yet.