The secrets of VPNs for business

VPN virtual private network icon with glowing connected symbols

It's okay if you're not certain if you need a virtual private network (VPN), or how you'd go about setting one up. Those three little letters represent a minefield around compatibility, terminology, even legality: ask the younger generation what VPNs are for and they'll think of untraceable, anonymous access to the shadier corners of the internet. Or, they might picture ransom-demanding pirates and hackers taking control of their victims' machines.

Those bad actors and cyber criminals are using a VPN, since technically the term can mean any encrypted, encapsulated link from one internet address to another. That says nothing about what it's used for, what it can or can't do, who owns it or whether it's even working. What attracts the bad guys to such technology is the fact that no one can peer into the data that moves inside those encrypted packets although the destination and source addresses aren't encrypted, so it's always going to be apparent that a link is active. This is why business VPN solutions generally offer extensive security features: the value of the proposition lies in its impenetrability.

Unfortunately, as a result, the marketing spiel can lean towards impressive-sounding gobbledegook, intended to bamboozle senior management types simply looking for "the most secure VPN we can buy."

To make the right choice, you need to start by understanding what's possible and what's not possible. Then you can choose a way to do it and stay on top of the accompanying security obligations.

The benefits of a VPN

The most important benefit of a VPN is that it cuts your internal security problems down to size. Recently, embarrassingly so, there was a time when a Windows network could be constructed over global, public IP addresses, and many early design documents and even practical implementations made use of this configuration. It quickly became clear how inadvisable this was: even now, the interval between opening up an unsecured machine to the internet and its being compromised is typically measured in minutes.

A VPN can help here in two ways. First, you can shut off malicious connections entirely if you make a blanket rule only to accept VPN traffic. Second, you can close off the most prevalent exploits by using a border device that doesn't run Windows. Adopting these two simple measures is much less onerous than keeping on top of patches and threats to your entire Windows ecosystem.

This isn't to say that Windows makes a bad entry point for a VPN, or even a bad firewall. But it tends to be used best as part of a multi-device design, with routers, firewalls and SSL concentrators all playing their part in directing, filtering and brokering the traffic before it gets to the server. And there's certainly no need to use it for regular VPN duties: one thing that's moved forward in this field over the last half-decade is the burgeoning variety of ways you can land a VPN. Let's not get bogged down in the technology, and look at this from a business perspective.

Small businesses

The most common way to deploy a VPN in a small business is via a slightly smart router, with some small-scale features to support roaming Windows and Apple software clients. This kind of system will do the basic job, but it's likely to be using L2TP/IPsec for encryption and tunnelling, which often has a painful effect on internet performance as the router struggles to do all the required processing.

It's also not guaranteed to keep up with changes in the environment. Many organisations relying on setups like this have hit unexpected problems recently, thanks to changes in the VPN client in Windows 10. On paper, these promise better security and more versatility, but old routers have been left out, and the recommended solution has often been simply to go out and buy a new one. To be fair, it's difficult to blame manufacturers alone, because communication on Microsoft's part has been woeful, too. If you can't make your VPN work on Windows 10, not only are you unlikely to get a clear explanation as to why, you'll also look in vain for reassurance that whatever solution you come up with won't be borked in an update.

Even if your router-based VPN is nominally working, many businesses experience intermittent service (causing high levels of user irritation) because the kit has to work hard and doesn't cope well with issues. It's difficult to run tests on a router that can't reliably tell you when you need a hard reboot especially when your whole organisation is relying on it for connectivity.

One solution is to move your VPN services into the cloud, rather than keeping them inside a box with some LEDs on it. However, if you're only dealing with a dozen clients, this may be overkill. Businesses tend to assume it's the necessary next step when their low-cost router starts to struggle, when in fact stepping up to a slightly more capable local appliance could solve their problems more cost-effectively.