VPN Management Best Practices for All Situations

VPNs, or virtual private networks, are trending more than ever with the rise of remote work. But how can a managed service provider take full advantage of what VPNs offer? The needs may be many, but they all boil down to two very common factors - accessibility and security.

Here is a breakdown of both of these factors, as well as an overview of what VPNs are and how to best manage them.

Types of VPN Connections

To best support a client’s virtual private network connections, it is important to understand logical design and the difference between VPN clients and VPN gateways. Each client’s need will help determine which connection is best for the situation.

What is a VPN Gateway?

A virtual private network gateway, in most cases, is a gateway routing device that can be used to connect to other gateways in a one-to-one setup or to act as a host to multiple client connections. Most business-class firewalls have this option available for use.

No matter which connection method is chosen, each is held to a standard that should offer the user a secure connection to meet their needs. The decision on which connection method to use will come down to situational considerations, including location, facilities, and flexibility.

Gateway-to-Gateway

When building a virtual private network to connect two physical networks, the “gateway-to-gateway” model comes to mind. Here are a few examples of where they are found and used.

• Connecting two or more office branches. These connections typically have a bidirectional, one-to-one connection design.
• Connecting the main office to smaller branch offices. Often called a “hub-and-spoke”, the main office has connections to each branch office, while the branch offices do not connect.
• Connecting a home office to the main office. This isn’t seen a lot but happens from time to time - especially now, while more people are working from home. Set up much like a branch-office-to-branch-office connection - there is a one-to-one direct connection between the main and home offices.

Client-to-Gateway

A client-to-gateway connection is typically established between client software on a PC and a main office gateway router. Here are a few places that these are found.

• Connecting a home user to the main office. With the rise in remote work, this is the most popular client-to-gateway connection in the past year.
• Connecting a mobile user to the main office. Client VPN users do not have to be working from home. Traveling employees that need a connection to the home office can do so using client VPN software.
• Connecting to a remote office in outage situations. A common situation in an emergency.

VPN Management Best Practices

As with most technical configurations, every managed service provider should follow a set of best practices while managing virtual private networks. These best practices cover both client and gateway management. Here are a few ideas.

Client Software

Managed service providers have a choice of client software when establishing client-to-gateway VPN connections.

• Native OS software. Apple, Windows, and Linux all offer native VPN client software. These can be used with some, but not all, gateways.
• Gateway-provided software. Most gateways will have their client software that can be used to connect via VPN. This is often the simplest to set up.
• Third-party software. There are a few third-party software providers that offer VPN client software. This is most likely the least beneficial route to go in, as it has not been previously verified by the client OS or gateway manufacturer.

Gateway Device Configuration

A gateway router acts exactly as described - it is a gateway into your network. Here are a few key ways to be sure that your gateway is configured with security in mind.

• Use a strong pre-shared key. Be sure that your pre-shared key is long, random, and contains special characters. Never use something that an intruder would be able to guess at.
• Force user authentication. Using a pre-shared key alone for authentication offers anonymity to network offenders and only one level of protection against intruders. Require each user to have a unique username and password for authentication. Furthermore, passwords must meet complexity requirements and should be changed regularly.

VPN Protocol Selection

Several different protocols can be chosen for VPN encapsulation. Each has its advantages and it is important to understand what each offers when choosing what’s best to use.

 

PPTP

• Outdated. While this VPN option is still available on many gateway routers, it is outdated and no longer recommended.
• Unencrypted. While a tunnel is established, the data transferred across it is unencrypted and is easy to be intercepted.

IPSec

• Still popular today. Even with its long history dating back to the early 1990s, IPSec is still the most popular and most used protocol today. This popularity leads to reliability and availability on gateway devices.
• Two modes: tunnel and transport. These modes offer, respectively, encrypted and unencrypted communications. Managed service providers and users have a choice between speed and security.

SSL

• Uses transport layer security. TLS is one of the most modern security protocols available and highly reliable.
• Used by OpenVPN. OpenVPN is one of the most popular VPN solutions because of its open-source technology and free-to-low price point.

Conclusion

For managed service providers to get ahead in the “new normal” of work environments, they must be able to provide their clients with virtual private networks that will meet their needs and keep their data safe. Having a deep understanding of how virtual private networks work and the best management practices is just the first step.