With the onset of the COVID-19 pandemic, many organizations are asking some variation of the question “will my infrastructure support remote access for my employees”. This is evident by the fact that VPN usage in the U.S. grew by 53% between March 9th and 15th many organizations are struggling to come to terms with the reality of needing to support most if not all their users remotely.
We asked the engineering team how they’re answering these client questions, and here’s what they shared.
Considerations for supporting client VPNs on your current firewall or infrastructure include several variables.
- Capabilities and Age of the Firewall
Newer firewalls and NGFWs tend to have more horsepower to support layered services, meaning you can possibly continue doing whatever you’re doing, and add the additional load of Client VPNs. As we’ll cover next, how the firewall is made, its use of ASICs for processing, and what else the box is doing will also play a role in determining if (and how many) client VPNs can be supported.
- Services Currently Running on the Firewall
Some services are more resource-intense than others, and the load varies wildly. This is why it’s hard for us to answer the question “will my current firewall support client VPNs”. Like any good technical question, the answer is “it depends”.
For example, if your firewall is doing SSL Inspection, Deep Packet Inspection, Single Sign On, MFA, and/or other inspection such as participating in sandboxing, that takes more resources than basic ALLOW, DENY, or even NAT policies. Web filtering and other content inspection can also impact resources.
To add more variables in the mix, a firewall’s ability to juggle all these services depends heavily on their use of purpose-built ASICs. This is one of the reasons we prefer solutions like Fortinet, which has very fast purpose-built ASICs for all main firewall services. We’re able to add more layered services with little impact.
- Quantity and Type of Client VPN connections
Client VPN can be SSL-VPN, IPsec VPN, or combinations of both, depending on what level of access the user needs. SSL-VPNs are initiated over a standard web browser session, while IPsec client VPNs will require an agent to be installed on the endpoint.
The loads can vary depending on the type of portals presented, and the access to the various resources.
- Traffic Paths and Bandwidth of Internet
When deploying client VPNs, organizations will typically choose to architect it either as a split-tunnel, or full tunnel back to the organization’s infrastructure.
As you might guess, a split tunnel means only organization-destined traffic is sent over the VPN tunnel, while other traffic (such as Internet browsing) is sent out from the user’s local gateway. There are pros and cons to each, and the selection affects your bandwidth requirements at the datacenter, as well as the security posture of the data going through the user’s endpoint.
Most experts agree that VPN solutions add at least 10% to 20% overhead to bandwidth usage from the encryption used by VPN to secure the traffic to and from the remote users compared to if the same users were inside the LAN accessing the same resources.
If you don’t allow split tunneling, you’ll see a significant increase in both inbound and outbound utilization as the remote users’ web traffic is backhauled to the headend and then routed outbound to the internet. There have been reports of bandwidth increases of 25% to as much as 50% where most of the resources used by remote users are external to the corporate infrastructure and split tunneling is not used. While split tunneling can significantly reduce bandwidth, CPU, and Memory utilization at the headend, it can present security concerns if the organization doesn’t have other agents, visibility, or control over the endpoint’s traffic routed locally.
Conclusion In conclusion, don’t panic, but instead, carefully consider the technical requirements as they relate to your organization for how you can or will support remote access to your network. Remember to consider what type of VPN solution is best for your organization by determining what remote users need what kind of access to internal resources. Determine if you have sufficient bandwidth to support the number of remote users you are expecting, and plan accordingly. Determine how many users your VPN headend is rated to support as well as what other services are in use that use resources. Finally, don’t be afraid to ask for help from your friendly solutions experts at Carolina Advanced Digital.