Recently, we’ve been getting a lot of questions regarding the use of VPNs to enable workers to access corporate resources from home or remote locations. I have collected some of those questions together in this post, which I hope you will find useful.
As with most things IT-related, the best solution for you depends on your organization’s priorities: security, flexibility, and ease of use. In general, VPN solutions provide user experiences that are very close (sometimes the same) as the worker is used to in their office, which means they can be just as productive at home, use all the same apps with the same file access, and require no specialized training.
A Virtual Private Network (VPN) is the name given to a secure connection from one device to another, usually over an insecure network like the Internet. You may also hear the term “tunnel”, but this is a broader class of connection that doesn’t always provide any security. For a tunnel to be secure, it must include authentication of the devices or users, so we know who’s trying to connect, and some form of encryption, so that eavesdropping on the conversation is not possible (or is very difficult, at least).
So, a VPN authenticates the devices and encrypts the data using standard protocols to make it as easy as possible to securely connect devices to networks over the Internet. However, there are different types of VPN, and both the connecting device and the network must use the same type, or the connection will not work. Which type you use depends on how you prioritize flexibility, ease of use, and security.
There are two main types of VPN technology in use: IPsec and SSL/TLS. We’ll look at both types here from the viewpoint of your organization’s priorities.
Internet Protocol Security (IPsec) requires specific client software to be installed on the user’s device. The software contains secret keys to uniquely identify the device and configuration to create an encrypted connection to the network. This means your company has control over the types of devices your workers can use, but the secret keys and encryption must be configured by your IS team on every device. So, your workers can only use pre-configured corporate devices, or they must bring their devices to the IS team to have them set up for IPsec VPN access.
Secure Sockets Layer / Transport Security Layer (SSL/TLS) is a more flexible solution that allows the worker to use any device to securely connect to their corporate network. The worker first downloads an approved client (OpenVPN is a good choice) then installs a short script prepared by their IS team to configure the client to establish a secure connection. The advantage is lower setup overhead for your IS team and more flexibility for your workers—especially useful if they don’t have pre-configured equipment to use or your company needs to arrange VPN access quickly.
The type of VPN you use will depend on your organizational priorities and may include a mix of both.
Figure 1 - SSL VPNs for Remote Workers
Typically, SSL/TLS VPNs are good choices when there is a sudden need for network access and limited time to prepare, or when remote workers have limited access to IS support and can’t bring their work device in to be configured. This may be the case for remote or mobile workers who may not spend much time in the office and may want to choose the device they use for work. Additionally, you may find that IPsec traffic is blocked in some hotels and public spaces. SSL/TLS is not usually affected the same way, making it the preferred choice for most mobile workers.
Figure 2 - Site-to-Site IPsec VPN
IPsec VPNs are the better choice for more static or longer-term applications where the extra security is worth the additional setup. For this reason, IPsec VPNs are typically used to provide secure access between offices in different locations (known as “site-to-site”) where the link is permanent and IS support is readily available. Commonly they are configured using VPN Routers, specialized security devices deployed at each end of the secure tunnel, that handle the authentication and encryption requirements. IPsec VPNs can also be the right choice for workers with company equipment (e.g., laptops) who occasionally work remotely or work with sensitive information.
We recognize that for many companies, despite the advantages of deploying a VPN solution for your remote workforce, it may be too complicated or time-consuming, especially if your IS team has other priorities. Therefore, we offer a service where we assess your requirements and then design and deploy a solution that’s right-sized for your organization. We can scale our solutions from an SSL VPN for a team of mobile workers, to a corporate multi-site VPN solution, and even a full SD-WAN architecture. All the configuration, testing, and support tasks are handled by us, or if you prefer, we can train your IS team to support the solution we deploy.
Contact us for more information about this service, or any of our security solutions.