VPN best practices

Why You Should Use a Corporate VPN (And How)

August 30, 2017 | By

You probably pay good money for various security products on your network: firewalls, IDS, and the like. However, even with these protections in place, without a VPN, your employees are only protected while they’re on your network. With a VPN installed, your employees can enjoy those same protections at all times, from anywhere in the world. It’s helpful to discuss some VPN best practices before you get started.

Three Common Questions About VPNs

If you’re wondering what exactly a VPN is, how it’s used, and how it can protect your network, read on. These are three common questions we often hear about VPNs.

What is a VPN?

A VPN, or virtual private network, is a service that enables you to securely and remotely connect back to a private network (like your corporate network) from a public network. When using a VPN, all of your network traffic is encrypted between your computer and the private network. This keeps your traffic safe from anyone in between you and your destination. Whether it’s your home internet service provider (ISP) trying to track you, or someone on a public WiFi network trying to steal information, your data remains secure.

How are VPNs Used?

Your HR likely maintains an employee database.

Customer service reps have a centralized portal for managing support tickets.

IT uses an asset management service.

These are all great examples of software that helps these folks do their job—but which should only be accessible from the inside of your company’s private network for security reasons. However, sometimes employees need to work from home, or from a hotel on a business trip. If they can’t access these services, they often can’t do their jobs, and business suffers.

A VPN allows employees to access sensitive systems and data while away from the secure corporate network. The traditional role of a VPN in a corporate environment is to allow remote employees to access internal-only services despite connecting from remote locations. With a VPN, remote employees are effectively connecting to your network from within. You expose a single service on the Internet, your VPN, and keep everything else within your private network. Employees can authenticate with the VPN from anywhere in the world, and then seamlessly access your company’s network as if they were actually there.

VPNs are standardized, secure, easy to adopt, and surprisingly affordable. All modern operating systems, desktop or mobile, have built-in support for connecting to a remote private network through a VPN. This means they are accessible even for less technically-skilled users. And it doesn’t impact performance or user experience. Once you configure the VPN settings on a device, employees can forget it’s there.

How do VPNs help protect the network?

The Internet is a wonderland, full of useful information and powerful services. It can also be a dangerous and unpredictable place. Any company resources that are accessible via the public internet are subject to a wide variety of attacks. Whether your organization is being specifically targeted by attackers, or it gets caught up in a broad scan for vulnerabilities, the question is not will we be attacked?, but when? (and how often?)

The best practice here is to avoid having resources exposed on the public Internet whenever possible. If any of your services are intended for internal use only, then they should only be accessible via an internal network. This is what VPNs do.

Additionally, many security products are better at preventing compromise than they are at remediating an existing malware infection. If an employee’s device becomes compromised by an infection while off-network, and then they bring it back inside, it may be difficult for you to eradicate it. So it’s better to have employees always use a VPN. Then they can benefit from your network’s protections from anywhere in the world.

In addition to protecting your company’s internal services, VPNs ensure that the security measures in place on your network are used at all times, even by remote employees. You probably pay good money for various security products on your network—firewalls, IDS, and the like. Without a VPN, these security products can only protect your employees while they’re on your network. But with a VPN, your employees can enjoy those same protections at all times, from anywhere in the world. With a VPN, even free public WiFi can be safe to use.

VPN Best Practices

Now, you can’t just install a VPN and expect it to work perfectly. You need to follow some best practices to have the safest and most seamless experience. Here is what you need to  know about three major technical aspects of VPNs. (Note: This content is most appropriate for IT managers and similar technical roles.)

Authentication

First and foremost, if your VPN is the gateway between your network and the Internet, then your network is only as secure as your VPN. Well-known VPN providers offer security that is as good as it’s going to get, but they are still only as secure as your authentication practices. Of course, this is not unique to VPNs.

To be as secure as possible, good authentication practices are critical in all parts of your security infrastructure. This means employees should have long but memorable passwords, preferably handled with a password manager. Plus, arguably most importantly, you should require two-factor authentication. (See our recent blog post for tips on passwords from the security pros.)

Latency

When configured properly, a VPN can work seamlessly, without impacting the end user’s experience. Ideally, after authenticating, your employees will hardly notice its presence. However, the act of routing all traffic through an intermediary third party does have some unavoidable effects.

For starters, latency is guaranteed to increase. (Latency is the round-trip time to send data and get a response back.) How much it will increase depends on your distance from the VPN provider. Unless remote employees are engaged in very delay-sensitive applications, like voice chat, a small increase in latency is rarely noticeable, especially when bandwidth stays about the same. If they are voice chatting with someone inside the company network anyway, then the added latency of coming in through the VPN provider ought to be negligible.

Split Tunneling

There are conventionally two ways for employees to have their VPN clients configured. Those are “full tunnels” and “split tunnels.” In a full tunnel, all network traffic is forced to go through the VPN provider, regardless of that traffic’s destination. In a split tunnel, traffic will only be forced to go through the VPN if the destination is inside the private company network. A split tunnel thereby separates corporate intranet traffic from private Internet use. But, by allowing split tunneling, you abandon many of the security benefits we’ve described above. Thus, split tunneling is considered to be a security risk, undermining some of the advantages of providing a corporate VPN. We strongly advocate for configuring VPN clients with full tunneling.

The Value of True Security

Setting up a VPN on your network and configuring employee devices to use it may take a few days, but it’s well worth the effort for the reasons outlined above. In addition to your VPN, we strongly recommend setting up Strongarm’s DNS protection. This only takes a few minutes! With no agents to distribute and configure, you can effortlessly use Strongarm to protect your network from the latest security threats and to quickly remediate any infections that do make it through to your network. Best of all, when combined with a VPN, you can extend Strongarm’s protection to employees all across the world.

Want to learn more security best practices? Take our Grader quiz to find out how secure your organization is and then check out the personalized recommendations that follow.

Take the Grader Quiz