If you’ve been living under a rock recently, there have been more cases of COVID-19 becoming prevalent all around the world. With this comes a ton of questions regarding working from home, and general remote access. Is your infrastructure ready in the event that your organization requires the entire company to work from home? This blog post will describe some of the questions that you may want to ask to assess your self-readiness in the case of a long-term working from home scenario.

Monitoring

Having monitoring in place is a common practice, but do you know what’s currently being monitored on your network, your firewall, or your VPN devices? Below is a list of metrics that would be worth making sure you’re monitoring on the infrastructure:

  • All Devices
    • CPU
    • Memory
    • Interface stats:
      • Utilization
      • Tx/Rx Errors
      • Tx/Rx discards
    • Availability
  • Load Balancers
    • VIP Status
    • Connections per second
  • Firewalls
    • Connections per second (if using a load balancer or firewall)
    • Total number of sessions
  • VPN Appliances
    • Concurrent Users (if your licensing requires it)
    • Total Users
  • Determine the current amount of traffic for each network segment:
    • Office -> Internet
    • Office -> Corporate Resources

Questions to ask – Network/Infrastructure

  • Do you have enough IPs to allocated for client VPN addresses?
  • Is the current solution’s total throughput enough to handle more than x amount of concurrent users? (replace x with the total number of users in your organization)
  • Can you perform non-intrusive testing to ensure the VPN’s capacity is working as advertised?
  • Which services are responsible for your company’s primary applications?
  • Which network devices are responsible for your company’s primary applications?
  • How much throughput is possible for each network device across each segment of the network? An example mapping is below:
    • Internet -> LB
    • LB -> VPN
    • VPN -> Switch
    • Switch -> Firewall
    • Firewall -> Switch
    • Switch -> Application
  • Do I need to support multiple offices?
  • How many users are located in each office, in the event that one office is closed?

Split-Tunnel vs. Full-Tunnel

Now I know that Split-Tunneling versus Full-Tunneling is less secure for non-corporate traffic, Split-Tunneling may give your current VPN solution a little more life for a long-term WFH deployment. Before turning on Split-Tunneling ask yourself the following questions:

  • Are any services are limited or blocked by Geography or IP Restrictions? If so, what are they?
  • Are any of these restricted services able to be identified through a subnet or set of IP ranges? If so, can those subnet/IP Ranges be added to the list of routes that are forced over the VPN tunnel when on split-tunnel VPN?
  • If the service is dynamic, can your VPN service split-tunnel by domain name instead?
  • Can the IP Restrictions be disabled temporarily?

Questions to ask – Purchasing

  • Do I need to purchase more licenses?
  • If needed, what is the turnaround time for getting quotes, going through the purchasing process, and delivery of hardware/software?
  • Can I RMA my hardware in the event of a hardware failure?
  • Is the VPN hardware under support, or do we have spares to replace failing hardware?
  • What is the SLA on support contracts?
  • Are any vendors RMAs dependent on near-time sourcing that could be impacted by current world events?

Conclusion

Hopefully you won’t have to force the entire company to work from home, but it is a good idea to have something in place in case this happens. Stay safe out there, and happy remote access!

Tags: , ,

Clay is a recovering server guy that has learned how networks and security worked and used it to his advantage. He is always eager to learn a new technology or technique as there are never enough tools in the toolbox for solving problems in modern networking and server environment. Clay is always striving to make the "more perfect" network available to peers and users. He currently an active Juniper Ambassador, and has contributed to multiple Juniper Day One guides to solve both old and new problems that engineers face in their networks. Clay is a talented individual that enjoys the new challenges that are facing next generation networks, both large and small.

Clay has achieved two of the highest certifications from Juniper Networks: the JNCIE-SEC (Certification Number #69) for his proficiency in Juniper Networks security platforms, and the JNCIE-ENT (Certification Number #492) for his proficiency in Juniper Networks enterprise routing and switching platforms. He is also certified as a Pulse Secure Certified Instructor and Palo Alto Networks Certified Network Security Instructor. Outside of the of the certifications above, Clay also has experience with securing cloud-provider networks while ensuring the highest levels of performance to serve its users.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.