In a world where the Internet seems to reach everywhere, network users have come to expect smooth "anywhere, anytime" access to corporate networks. Keeping your remote access VPN up-to-snuff is pretty easy: Watch your Internet bandwidth usage and the CPU usage on the VPN server -- when either hits a consistent 50% to 75% of capacity, you are in need of an upgrade. But just buying more bandwidth and a bigger VPN server is not the only way to give people better remote access. Here are some ideas on other approaches that you may want to mix into a traditional VPN server to give remote users the tools they need to be efficient, productive and happy. Check your current remote access deployment against these tips to see if there's room for improvement.
Goodbye IPsec, hello SSL
As the IPv4 address space fills, network address translation (NAT) has become ubiquitous. While IPsec is over a decade old, many NAT devices don't mix well with the security and encryption protocol. At the same time, network service providers are beginning to block more and more protocols -- including IPsec in many cases -- to limit the spread of malware. VPN vendors have come up with a slew of strategies to solve this lack of connectivity and interoperability problem, but the one that seems to work best is tunneling remote access traffic over TCP port 443, the HTTP-over-SSL port. Your remote access VPN product should not depend on anything more than a port 443 connection to work. If you haven't converted to an SSL VPN tool, you're already behind the power curve and not giving people the best and fastest experience possible.
Goodbye network tunnel, hello application tunnel
While traditional VPNs with network extension over IPsec or SSL are great for general network access, I've found that most users are spending most of their time on a tiny set of applications: email and intranet webpages. Those applications are "self tunneling," which means you can get both encryption and authentication without throwing a traditional VPN server in the way. All modern email servers include encryption, so if email is the only application someone will be using, they may not need to bring up a whole VPN tunnel. If you're using a standards-based mail server, you can give access directly without a VPN when protocols such as SMTP and IMAP are both encrypted and authenticated -- a feature in every modern mail server. Be sure your mail server has break-in evasion enabled to eliminate the possibility of a password guessing attack, and look to your firewall to provide needed denial-of-service (DoS) attack protections when you do this. If you're an Exchange shop, upgrade to a version that supports RPC-over-HTTPS, which will let Outlook users connect directly, quickly and securely.
If you have Web services inside the firewall remote users need, consider an application-level SSL VPN --top vendors include Juniper Networks Inc., SonicWALL Inc. and F5 Networks Inc. -- to eliminate the overhead of tunnel establishment, authenticate users for multiple services, and encrypt traffic using the browser's SSL layer. A second benefit of this strategy is that most of these SSL VPN products can also add a layer of encryption and authentication protection to your standards-based or Exchange mail server, reducing some of the need for patch paranoia.
Goodbye backups, hello continuous data protection
In the old days, we used to talk about a "backup window," during which systems could be unavailable or have very poor performance, while backups were running. When everyone was in the office from 8 am to 5 pm, that would leave a nice window during which no one cares whether operations are fast or not.
Today, however, when remote staff connects back to your network around the clock and from every time zone, the backup window shrinks to … well, to nothing. The nightly slowdown or, in the worst case, downtime window is just not acceptable anymore.
While the requirement for data protection hasn't changed, the traditional stick-a-tape-in-a-drive-each-night strategy doesn't work very well anymore. In addition to the issues of backup window, many businesses of all sizes are finding that data volumes are getting so large that making tape-based (and disk-based) backups is no longer cost effective, practical or even possible.
Fortunately, a slew of good products have come to market from SAN, application, and even backup software vendors, giving you many alternatives to traditional tape-based or disk-based backup. Stop thinking of backups as a fragile point-in-time snapshot of your network, and start thinking in terms of continuous data protection -- making sure the data is protected as it is created, and that backups don't create an operational hazard impeding access to your remote access VPN.
Send comments on this technical tip firstname.lastname@example.org.
Join us on LinkedIn.
About the author: Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.