By Andrew Burton, Site Editor
A virtual private network (VPN) allows users to log into a company's network from a remote location using a home PC, laptop, or, in some cases a smart phone, and use company resources as if they were in the office. While VPNs were designed with the remote workforce in mind, a virtual private network can allow users to continue working uninterrupted from a remote location after a disaster. Virtual private networking services can work well for many companies, but there are a number of things to consider before relying on a virtual private network in the aftermath of a disaster.
Virtual private network services as part of a disaster recovery plan table of contents
Pros and cons of virtual private networks for disaster recovery
Common types of virtual private networks today
IPsec virtual private networks vs. SSL virtual private networks
Choosing a virtual private network product for disaster recovery
The benefits of including a virtual private network in your disaster recovery plan are fairly straightforward. A VPN should allow users to log in and work remotely as if they were sitting at their desk in the office. "There have been many companies that have used VPNs to allow employees to continue to respond to clients, interact with co-workers and make progress on their deliverables during a disaster," said Lisa Phifer, president, Core Competence Inc. "For example, during last summer's gas shortage in Georgia, many companies used VPNs to continue to be productive from home."
However, it is important to consider some of the issues that can arise when you are using a VPN in the wake of a disaster. "The fundamental consideration is that remote access VPNs are not typically rolled out to everyone in a company," said Phifer. "Typically, only the road warriors or employees that are expected to work at home at night or on weekends will have VPN access. So, not everyone will have the software necessary to log in or the password and credentials necessary for access."
However, if the most or all of the employees in a company have access, another issue can arise. "If everyone logs into the VPN, as opposed to say one-fifth of the workforce, that is a huge demand on the VPN gateway," said Phifer. "The gateway may not be able to handle that many concurrent users working eight hours a day as opposed to a few logging in and working for a half hour at a time."
There are a variety of virtual private network options at different price points depending on your company's needs. According to Phifer, two types of offerings today make up the majority of the market: Secure Socket Layer (SSL) VPNs and cloud-based VPNs.
An SSL VPN can be used with a standard Web browser. Unlike the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does not require specialized client software on the end user's computer. In a disaster scenario this is a real benefit, as it allows users to log in as long as they have the URL and a password without the need to install software beforehand. However, as mentioned above, depending on the size of your organization, VPN traffic can still be an issue.
Also, if the primary VPN gateway is damaged in a disaster, you would need to have some sort of failover plan in place. "Larger enterprises typically have multiple SSL VPN gateways, deployed at key locations -- for example, one in SF, another in NYC, a third in London," said Phifer. "If one site goes down the others can take over. Sometimes this is done seamlessly by configuring VPN clients with multiple gateway hostnames that they try in priority order, or with one hostname that resolves to several gateway IP addresses. Sometimes it requires failover action by the user -- for example, if I can't get into my usual gateway I know I should try SF instead."
However, there is a way to skirt both of these issues. "Some VPNs are offered in the cloud deployment model," she said. "These managed services have much more bandwidth and infrastructure, so they can handle the additional burst of network traffic from additional users. In a pinch, you can easily add new accounts and give users log in information." Cloud VPN services are typically priced by user per month. Following a disaster, you can increase the number of users on the account to accommodate the additional employees that need to work offsite. Below are some examples of some of the more popular VPN vendors today:
- Cisco Systems Inc.
- F5 Networks
- Juniper Networks
- LogMeIn Inc.
VPNs have been widely deployed for the past 10 years. Traditionally, these VPNs used a set of protocols called IPsec. IPsec is a framework for a set of protocols for security at the network or packet processing layer of network communication. However, SSL VPNs emerged around 2004 and began to grow in popularity. In 2010, SSL VPNs have really become the standard. "I was at a Gartner conference earlier this week, and heard a Gartner analyst say that SSL VPNs are the only VPNs they track," said Phifer. "Although they still exist, IPsec VPNs are no longer growing in market share."
There are a number of things you should consider when choosing a VPN for disaster recovery. According to Phifer, it is important to choose a product that does not require client software or endpoint security software to be installed on the user's computer ahead of time. "You should be looking for a product that insulates the VPN from whatever bad stuff is on the client system," she said. "You want the flexibility to be able to use someone's home computer as part of your VPN solution."
Also, it is important to evaluate what the VPN will allow users to access. "Are the applications you can access over the VPN the applications you need to keep your business running?" Phifer said. "That is one of the most important questions."
Lastly, consider whether there are any remote platform limitations. "Basically everyone can accommodate running on Windows," said Phifer. "But what if part of your workforce uses Macs or mobile devices? Can your solution accommodate those platforms?"
Of course, above all things using a VPN as part of your disaster recovery plan only works if users have access to the Internet. Depending on the type of disaster, Internet access may be compromised. Phifer said that companies should look into non-terrestrial network options such as 3G cellular for critical employees.