It’s not only employees who can use a VPN tunnel to safely access a company’s internal resources remotely. Many subsidiaries also connect safely with each other in the same way. We explain what advantages a modern VPN solution has, describe what hardware and software you need for it, and explore the potential pitfalls.
The global pandemic has resulted in a boom in the take-up of VPN (Virtual Private Networking) services this year. Countless employees – who previously performed their tasks at a desk in the office – suddenly found themselves at home on their private computer: which they now had to use to access internal resources such as e-mail and application servers. This presents their IT departments with some challenges. Most of them have at least some basic experience in dealing with professional VPN solutions. However, the significant increase in usage meant that the services on offer generally had to be reconsidered and extended.
Types of enterprise VPNs
Essentially, there are a number of ways which companies can use virtual private networks. Firstly, there are the classic remote access VPNs, via which employees can connect directly with the company network. Then there are the site-to-site VPNs, where two or more company subsidiaries can connect themselves safely with each other via public networks.
A classic remote access VPN generally consists of two components: the VPN endpoint, with which the employees connect. To do this, they use client software which is installed on their end devices. This client creates an encrypted tunnel to the VPN endpoint, via which all the data travels. Today, firewalls are often used as VPN nodes which not only filter data but also provide VPN services. In other cases, a special VPN concentrator is used.
These devices can also be used as VPN endpoints for a site-to-site VPN. They ensure that all the data sent between the connected subsidiaries is automatically encrypted for transmission. These kinds of connections are generally much cheaper than renting dedicated lines between two locations. MPLS lines are not intrinsically safer than connections via the public internet. It’s just more difficult for an attacker to access them.
With a typical remote access VPN, all traffic is channelled through the encrypted tunnel between the client and the endpoint. However, this can give rise to problems if, for example, the user’s private data also travels this way. A technology called split tunnelling has been developed to to deal with this. Split tunnelling ensures that the employee’s private data traffic reaches the internet via the employee’s own router and is not rerouted through the company network.
Setting up an enterprise VPN
We’ve already described the general setup and the two types of enterprise-capable VPNs. Network manufacturers such as Juniper Networks and Cisco Systems already offer a wide range of VPN-capable solutions. These generally consist of at least one VPN-capable gateway and appropriate client software, or also of appliances which offer VPN services and which can be connected with each other.
Appropriate hardware would be, for example, the SRX300-series firewall gateways from Juniper. The different models, currently ranging from the SRX300 to the SRX380, offer a VPN performance from 300 MBit/s to a maximum of 3,500 MBit/s – and are therefore aimed at small-to-medium-sized enterprises. The manufacturers also have other gateways in their product range which are intended for larger customers – and which are capable of significantly more performance. The SRX1500 offers a VPN performance of 2 GBit/s, the SRX4600 already offers up to 55 GBit/s, the SRX5600 provides around 120 GBit/s and the SRX5800 even offers up to 230 GBit/s. There are also gateways capable of ensuring a consistently high level of VPN service, even for companies with thousands of employees working from home.
Cisco Meraki also has VPN products in their program. For example, the MX100, which achieves a VPN throughput of 500 MBit/s, or the MX450, which offers a VPN performance of up to 2 GBit/s. In addition, with Auto VPN, Cisco Meraki has a feature in their portfolio which significantly simplifies the setup of new VPN connections.
Help setting up a VPN
When a service provider – such as HCD Consulting – helps a customer set up a VPN, this generally follows a well-established routine. In general, multiple suggestions are worked out to define the security and encryption mechanisms. The private shared key and the IKE version are also defined. There is also a discussion about which network goals need to be achieved, who may connect with which service, and which protocols are necessary for this. The last step is to adapt the firewall rules; then employees can already start using the VPN connections. If you want to go into all this in greater detail, then check out the VPN Configuration Generator from Juniper. This will help you set up a configuration template based on your desired parameters, quickly and easily.
However, there may be difficulties in setting up an enterprise-capable VPN if the theoretical and technical fundamentals are not known in sufficient detail. This applies in particular if you wish to connect multiple networks with each other. But HCD Consulting is happy to help you here too.