Improve the Basic VPN Infrastructure
The obvious way to handle greater VPN usage is to increase the capacity of the VPN infrastructure itself. There are several ways to do this (and some can be used simultaneously).
- Increase network bandwidth for the VPN servers. This usually means ensuring the path between the internet and each VPN server has enough bandwidth, but in some cases, there may also be a need to increase the bandwidth between the VPN servers and the agency resources being accessed from the VPN.
- Deploy additional VPN servers. This not only adds sheer capacity, but it can also improve VPN availability, especially if the servers are deployed to multiple locations. By implementing load balancing, an agency will have a more flexible and resilient VPN infrastructure, one that can transparently send users to the server best able at the time to meet their needs.
- Be proactive with VPN server management and security. Make sure to maintain the servers well — for example, keep them fully patched. This reduces the risk of compromise and removes flaws in the VPN software that could impair VPN server performance.
Another proactive step is to use distributed denial of service protection measures so that VPN servers and the networks they use can’t be overwhelmed by attackers.
Separate Traffic Flows to Ease VPN Flow
Some network distancing can also ease the flow of traffic. For decades, VPN best practice has been to avoid split tunneling — dividing a user’s network traffic so the portion relying on the agency’s resources goes through the user’s VPN connection, while the rest of the user’s traffic bypasses the VPN.
Split tunneling was considered too risky because an attacker could abuse it to pass traffic across networks through the less secure device. But most network traffic today is now encrypted, and many devices often use two networks at once (for example, Wi-Fi and a cellular network). So, this risk has been reevaluated, and more organizations are enabling split tunneling.
— FedTech Magazine (@FedTechMagazine) May 19, 2020
This can significantly improve performance for users and also greatly decrease the volume of network traffic passing through the VPN. For example, users’ laptops can download large operating system updates directly from vendors instead of passing all those updates through the agency’s VPN infrastructure.
Change Work Patterns to Balance Out VPN Load
Sometimes, relatively simple changes to how people work and the processes they follow can make a big difference in a VPN’s performance. A basic example is staggering work hours so that not everyone in the agency is trying to access the VPN at the same time each morning.
Another example: Have people working from home do certain tasks locally rather than doing them over the agency’s internal networks, as they would if they were in the office. Instead of remotely editing a large document over the VPN, a user could download it, edit it locally then upload it once it’s complete. That should take far fewer VPN resources than using the VPN all day while editing the file.
Of course, VPN architects and administrators don’t usually have the authority to implement changes in how an agency’s employees do their work. But what they are uniquely qualified to do is monitor the VPN’s usage and look for patterns that indicate bottlenecks, excessive resource consumption and other potential problems.
By analyzing those patterns, VPN experts can provide insights to management about what the problems are and how they might be resolved, such as reconfiguring a video-based service to temporarily provide lower-quality video, thus reducing how much network traffic the service uses.