Remote working has been a “thing” for years, but it exploded into the consciousness of network professionals around the world in March after the global coronavirus pandemic forced a reimagining of work.
With little or no prior warning, workers were sent home to work by the millions. In the week of March 9 alone, corporate VPN usage in the U.S grew by 53%, and in countries like Italy it more than doubled, according to VPN vendor Atlas.
The results of this unprecedented growth were entirely predictable: 78% of corporate VPNs have experienced connectivity issues, and 64% of companies experienced some disruptions to network security, according to data from network test and measurement company VIAVI Solutions. In more general terms, VPNs have been overwhelmed and productivity has gone down.
That leaves network architects in something of a quandary. If we could be certain that things were going to return to the pre-pandemic normal in the near future, then the best thing may be to do nothing and muddle on. Even if the U.S. and some other parts of the world can return to relative normal by mid-2021, as seems possible with early vaccine success, that’s still half a year or more of remote work, and then the possibility that many jobs will permanently become remote.
An obvious solution adopted by some is to throw money at the problem. If VPNs are being overloaded, then increase their capacities. Heck, if budgets allow it, then buy another VPN concentrator. Why not? Of course this type of approach may work – at some cost – but there’s always a risk that increasing VPN capacity just exposes another weak link in your infrastructure. What happens if your DHCP server can’t assign IP addresses when it needs to? What if your SSL server can’t expose enough sockets quickly enough?
Split tunneling, device management ease VPN overload
Another approach is to take the pressure off the VPN by shifting some of the traffic away from it, and in that respect split tunnel architecture can help. Does everyone really need to access Office 365 in the cloud via the corporate VPN? Microsoft itself doesn’t think so, and recommends using split tunneling to avoid Office traffic becoming a cause of congestion. In fact it has published a guide – with input from Cisco (AnyConnect), Palo Alto (GlobalProtect) and F5 Networks (BIG-IP APM) among others – on how to implement VPN split tunneling for Office 365 so traffic gets routed straight to Microsoft’s Office service in the cloud.
Another challenge for network professionals is how to get thousands of machines in staff members’ homes updated and patched in a timely manner without overwhelming the VPN. Again, some network admins are finding that split tunneling can help – updates, if properly implemented, can come from a cloud-based content delivery network (CDN) rather than over the poor old VPN that is already taking a hammering.
Of course split tunneling is not the answer to everything, and there are plenty of alternative routes to go down to keep the traffic on the VPN moving. Some enterprises are turning to so-called modern device management (MDM) platforms to update devices of all sorts from the cloud. Others are moving to peer-to-peer systems that download updates and patches once and then distribute them among the nodes.
And then there’s the simple option: why not open firewall ports to essential applications and let remote workers connect directly? Then mitigate the (probably horrendous) security risks that arise from that using whatever other security resources are available. It sounds rash, but if a paralyzed VPN is the problem, would it be worth thinking about? Given the security risks, likely not. Simpler split tunnel and device management solutions seem like the best bet until we see what the future looks like.