Monitoring and managing a secure and reliable VPN

If you are an IT professional and manages your company’s newtork, you have certainly been in this situation. You are sound asleep and there is a sudden problem with your servers. Either you are woken up by a phone call, a message, or you’ll learn about it when you get to the office. It’s a mess, and you have to patch it. Stress does not come close to describe everything that comes with it – your boss over your shoulders, your colleagues pressed with deadlines, your company and your team’s reputation, the money spent and the amount not collected, and the list goes on. After the fact, you’ll sit down and mull over what could have been done to prevent it. Well, if you haven’t been in such a sandstorm, maybe there’s a way to escape from it.

Apart from all the security apparatus, you need to put in place to protect your servers against external attacks, one of the most important tools you and your colleagues need to shield is your virtual private netwok or VPN. As the entry gate and tunnel to your internal knowledge system, VPNs should provide a safe, fast and reliable way for employees to use the company’s resources remotely. And if there’s a breach in any of these connections, well, the damages could be catastrophic.

And with the Covid-19 pandemic, there has been a surge in remote access needs, as more people are staying at home while still needing to work within a “virtual office”. This puts even more pressure on bandwidth, latency, speed, robustness, and network reliability than ever before, and IT managers are having to strenghten their network’s security, while opening up more doors to the outside world. And with that comes the need to carefully monitor and analyze network traffic.

When choosing the tools to keep your network up and running securely, you need to take into account rules for network traffic, applications, bandwidth, protocols and IP groups. You also need to identify traffic patterns, overhead, throughput, and latency to identify heavy users, create alternative routes, and prevent any loss of performance. You need a real-time dashboard with visual representations of performance data, and alarm triggers for when things go sideways. And that has to be done across a wide range of devices, such as routers, firewalls, switches, VPN servers, storage, etc.

With the proper tools in place for network traffic analysis and management, organizations can proactively respond to issues that can cause network slowdowns and outages. By monitoring all the components, it is also possible to reduce latency, packet loss and congestions, optimizing bandwidth usage, and identifying possible threats. Also, these tools help identify who is using the network, when, and how, and by comparing this with predefined rules they can trigger re-routing, allocation and even automatically block user’s activity. Effective analysis and management keep mission-critical applications running optimally, by prioritizing their activities among all the other mundane requests.

When choosing VPN network monitoring equipment and software, you must take into account that the set is able not only to monitor a variety of performance metrics, such as bandwidth and packet routing, but also to display real-time visual dashboards, with different alert configurations, and also provide tools to map and optimize network traffic. And don’t forget to check the availability of web-based, desktop-based, or app-based access to your control system, so you can monitor and configure it remotely if needed.

When looking for standard alarms that can be issued by a VPN monitoring system through the use of Internet Control Message Protocol (ICMP) echo requests and Simple Network Management Protocol (SNMP), you should be taking into account authentication failures, encryption/decryption errors, self-test failures, intrusion and prevention flow policy attacks, and replay attacks. Integrating network management with cybersecurity tools can also prevent potential cyber attacks such as ransomware, viruses, phishing and denial-of-service (DDoS) attacks. More importantly, though, is that you can create scenarios and automate solutions, receive alerts by e-mail, SMS, or any other means you believe will more abruptly wake you up in the middle of the night.

So you know what needs to be done, but what is the range over which you can throw a cast net? From your company’s employees computers, to their home networks, the ICP network they use, to your own ISP, firewalls, networking equipment and servers, there are many endpoints that have to be monitored and managed. You can use an agentless platform, such as a computer installed within the premises of your organization, or an agent-based system, which resides on every device connected to your network, reporting back to a central system with a flow of incoming data. An agentless system is easier to manage, but needs a solid, dedicated machine with enough robustness to be reliable. An agent-based system can provide more in-depth information, as it is directly connected to every device, but can be difficult to manage in an environment with a large number of devices and different operating systems.

Another category of tools include specialist software, such as scanners, security monitors, and wireless network analyzers. But these don’t provide the full breadth of features needed to shield your VPN environment. They can, however, provide specific measures depending on your own needs. If you are building your network from scratch, for instance, you can use some specific design software to simulate wireless signal strength across your floor plan, taking into account wall density, doors and windows, to help you optimize your equipment distribution and minimize costs.

If your company has many branches connected to each other, and their networks need to be intertwined, you are surely using a site-to-site VPN, apart from the end-to-site VPN your employees use to dive into their daily work. So if one of these branches becomes unavailable you need to automatically redirect traffic somewhere else, after all you don’t want your team in China calling you in the middle of the night when their shift starts and they have no access to their CRM.

There’s the question of pricing. Will you pay for a standard one-time fee that covers up to X devices or users, or commit to a pay-as-you go model? Will you prefer to pay per device or user, or just cover a year-long broader license? No matter where you look, there are several different options and models to choose from, and of course you will need to build your own use case to convince your boss to free up the money, always for a good cause.

So start planning your network monitoring infrastructure, build your worst case scenarios, automate your solutions, create your dashboards and set your alarms. Now put your feet up and rest assured no one will disturb your midnight sleep ever again.