Sergey Nivens - Fotolia
The dramatic increase in remote access to business information systems and services due to COVID-19 means network managers must examine ways to optimize the amount of resources available to remote users.
This article discusses the pros and cons of setting up two VPN connections at the same time from one remote device.
Here's a possible scenario: A remote laptop normally connects to host-based systems via a VPN using the internet as the transmission medium. The VPN device provides access control, security and other mechanisms to ensure a secure connection.
Now, suppose the remote user wants to connect to another resource offered by the company. Can that user connect via the same VPN tunnel? In most cases, the answer is "no" because the VPN software generally supports only one connection at a time.
Installing a second image of VPN software and an additional network interface card probably won't work, as the VPN clients may overlap and interfere with each other. This visual depicts how that might work in practice.
Remote workers normally use a VPN tunnel to their primary work systems and resources. However, accessing additional web-based services means using a non-VPN connection to the remote host. Security and availability are primary drivers for VPN usage. As such, network managers must make arrangements -- e.g., using encryption -- for traffic that uses non-VPN connections to ensure the information being accessed is secure, its confidentiality and integrity are protected, and its availability is assured.
Configuring a single VPN client with a policy that permits the client to reach more than one destination is called split tunneling. For example, the VPN policy might say all traffic sent to 192.168.0.0/24 goes over a VPN tunnel to the main office. Other traffic -- with no VPN -- goes over the internet to the remote locations.
Questions to ask when planning VPN connections
The following are seven questions network managers should answer when contemplating concurrent VPN connections and split tunneling:
- Can you program a VPN policy definition that performs what you want to do?
- Are the IP addresses of the two private destinations you want to use nonoverlapping and static? If the remote host has a dynamic address, configuring a policy may be difficult.
- Does the VPN device permit split tunneling?
- What arrangements must be made in advance before using split tunneling?
- Does the split-tunneling device have a security feature to prevent opening a backdoor in which traffic that goes through the non-VPN connections could enter through the VPN tunnel and enter your machine?
- Does the VPN device permit detailed VPN policy definition and configuration?
- Does the VPN device permit your client-server protocol to accept incoming connections to your laptop?
Planning considerations for concurrent VPN connections
If your VPN client does not support split tunneling, you may not be able to access local and international internet services concurrently; you may use up much of the network bandwidth; and you may not be able to access LAN-connected devices while on the VPN.
If the VPN device supports split tunneling, verify that it can access remote systems, as well as local IP addresses; verify that downloads can be made safely without affecting the throughput to other web activity; and verify that other local devices, such as a printer, can operate while accessing internet resources.
Data traffic that doesn't travel over a secure VPN may be accessible by others, such as an internet service provider or cybersecurity threat actors.
Determine the business requirements from remote workers before investigating alternate VPN arrangements. To ensure optimum VPN response times, security and performance, network engineers must carefully analyze the following:
- which resources workers are accessing remotely;
- the kinds of activities -- e.g., sessions -- remote users will be performing;
- available bandwidth; and
- network access and security devices.
Network engineers can use these best practices to generate additional efficiency to remote users who are using VPNs to access company information services. Teams must carefully research the necessary requirements before evaluating any specific devices and network configuration changes.
Dig Deeper on Network services
Related Q&A from Paul Kirvan
Thinking of activating disaster recovery as a service? As you start this important process, consider these best practices that will help protect your... Continue Reading
It's time to review your strategy for ransomware backup and recovery. While there are standard ways to protect your organization, newer technologies ... Continue Reading
Business continuity and resilience go hand in hand and play a role in an organization's disaster recovery plan. Essentially, business continuity is ... Continue Reading