COVID-19 (coronavirus) is forcing more employees to work remotely. While many companies have remote access capabilities, they were never designed to support the entire workforce all at the same time. For other companies, providing remote access capabilities is a new concept, and they don’t have the luxury of time to architect, acquire, and deploy remote access technologies. RSM has been assisting clients who are facing these issues on a daily basis, and we would like to share some ideas with companies still struggling with remote access capabilities.
While we take this time to focus on connectivity, now is not the time to exclude proper security controls from your remote access deployments. Cybercriminals are using the pandemic as an opportunity to exploit organizations. As employees are moved outside the boundaries of the traditional office network security controls, the cybercriminal’s mission is easier. Here are a few ideas to keep your mobile workforce safe.
Enabling VPN Access
Just because an organization is not using VPN (virtual private network) technologies today, that doesn’t mean the capability doesn’t exist within their current platforms. Most firewall devices include this feature in some capacity, and configuring this feature can take less than a couple of hours. Once VPN is configured on your firewall, employees can connect using their web browser or a VPN software client that can be loaded onto their workstation.
While providing the remote connection can be relatively simple, understanding which systems and applications will be accessed across the VPN is another matter. Before turning on VPN capabilities, an organization should determine which assets they will allow to connect to their network, which applications they will use, and what risks are associated with these new exposures.
Increasing VPN Capacity
Organizations are running into performance problems with current VPN deployments that were never intended to handle everyone working remotely at once. These are the most common bottlenecks organizations have been experiencing with current VPN deployments:
- User licenses: Organizations are exceeding their license counts on certain devices preventing users from getting connected.
- Bandwidth: As more users connect to the VPN, bandwidth constraints make it slow for everyone connected and often result in application timeouts or errors.
- Platform capacity: The sheer volume of VPN traffic is exceeding the physical capabilities of the VPN hardware.
Here are some ways you can address these common capacity constraints:
- Request a license upgrade through your partner or purchasing channel. Some manufacturers are offering free licenses during the pandemic. We have seen very quick turnaround times, since these licenses are electronic and can be downloaded upon request or are sent via e-mail once purchased.
- Upgrade your bandwidth by contacting your local carrier, who can provide many services remotely. Be sure to pay attention to your upload speeds, as you may have an asymmetrical service where your upload speeds are a fraction of your download speeds. The upload speed to your remote workforce is now the total of what they can download. We have seen many carriers offering free upgrades in response to the pandemic, but don’t assume they are turning them on automatically – call them to confirm your options.
- If a bandwidth upgrade isn’t a good option, take an inventory of all available Internet services you may have deployed for backups to a primary connection method. Many organizations have backup Internet lines and firewall equipment at remote branches that could have VPN features enabled in short notice. As branches close, that bandwidth could be sitting nearly idle and could provide another point of connection to your network.
- When bandwidth and firewall resources are simply not available, you may consider deploying a cloud-based firewall within AWS or Azure. Most firewall devices are available in a virtual instance from either of these cloud providers and can be deployed relatively quickly. Once deployed, build a site-to-site VPN between your physical device and the virtual device within the cloud. Utilize the cloud provider’s bandwidth to offload your user’s Internet traffic, thereby freeing up your local resources to handle traffic destined for that site over the site-to-site VPN.
The pandemic has uncovered some major dependencies on remote access to local facilities that even the best cloud computing strategies failed to accommodate. Remote access VPNs work great on workstations, laptops, and mobile devices, but lack the ability to easily connect phones, printers, scanners, and other peripheral devices organizations rely on for payroll or document imaging. At a time when buildings are closing and people are being told to shelter in place, some employees are still required to go to the office to run their payroll checks. Sending these peripherals home with employees isn’t an easy option for many organizations, as they aren’t natively compatible with remote access VPNs.
Organizations facing this challenge or other challenges that require native enterprise access at an employee’s home may have some options that, while certainly not traditional, could be used in a pinch, including:
- Site-to-site VPN: Purchasing a small router or firewall for an employee’s residence can allow peripheral devices to be connected to the corporate network from the residence. Some devices will even provide Power over Ethernet (PoE) to power the device, such as a phone. These devices can range in price, but availability will be diminished given the demand for these product types. If you can get your hands on these devices, they are probably your best option. If not, see our next point.
- Wireless access points: If you have access points that integrate with an on-premise wireless controller, they could be used to provide wireless access to a remote site with the traffic tunneled over a CAPWAP tunnel. Peripherals that are configured to connect to the wireless network would have access to the corporate network wherever that access point is deployed. One key component necessary for this unconventional connection is a PoE injector or power brick, as chances are your access points are powered by a PoE switch. As of this writing, PoE injectors are still in stock across several resellers.
Ultimately, there are many ways to keep your employees connected during these unprecedented times. Work with your IT personnel and departments to define what people need to access. You won’t know everything and additional requirements will surface as more people work remotely over longer periods of time. Understand the risks associated with remote access and identify ways to reduce those risks. Explore non-traditional ways to utilize your existing resources, as you may not have the resources available to complete major overhauls to your remote access capabilities.
To learn more about how RSM can support your networking needs, please visit our website, call 800-274-3978, or email us. To learn more about the many ways RSM can help during the COVID-19 pandemic, please visit our Coronavirus Resource Center.