If you’ve been living under a rock recently, there have been more cases of COVID-19 becoming prevalent all around the world. With this comes a ton of questions regarding working from home, and general remote access. Is your infrastructure ready in the event that your organization requires the entire company to work from home? This blog post will describe some of the questions that you may want to ask to assess your self-readiness in the case of a long-term working from home scenario.

Monitoring

Having monitoring in place is a common practice, but do you know what’s currently being monitored on your network, your firewall, or your VPN devices? Below is a list of metrics that would be worth making sure you’re monitoring on the infrastructure:

  • All Devices
    • CPU
    • Memory
    • Interface stats:
      • Utilization
      • Tx/Rx Errors
      • Tx/Rx discards
    • Availability
  • Load Balancers
    • VIP Status
    • Connections per second
  • Firewalls
    • Connections per second (if using a load balancer or firewall)
    • Total number of sessions
  • VPN Appliances
    • Concurrent Users (if your licensing requires it)
    • Total Users
  • Determine the current amount of traffic for each network segment:
    • Office -> Internet
    • Office -> Corporate Resources

Questions to ask – Network/Infrastructure

  • Do you have enough IPs to allocated for client VPN addresses?
  • Is the current solution’s total throughput enough to handle more than x amount of concurrent users? (replace x with the total number of users in your organization)
  • Can you perform non-intrusive testing to ensure the VPN’s capacity is working as advertised?
  • Which services are responsible for your company’s primary applications?
  • Which network devices are responsible for your company’s primary applications?
  • How much throughput is possible for each network device across each segment of the network? An example mapping is below:
    • Internet -> LB
    • LB -> VPN
    • VPN -> Switch
    • Switch -> Firewall
    • Firewall -> Switch
    • Switch -> Application
  • Do I need to support multiple offices?
  • How many users are located in each office, in the event that one office is closed?

Split-Tunnel vs. Full-Tunnel

Now I know that Split-Tunneling versus Full-Tunneling is less secure for non-corporate traffic, Split-Tunneling may give your current VPN solution a little more life for a long-term WFH deployment. Before turning on Split-Tunneling ask yourself the following questions:

  • Are any services are limited or blocked by Geography or IP Restrictions? If so, what are they?
  • Are any of these restricted services able to be identified through a subnet or set of IP ranges? If so, can those subnet/IP Ranges be added to the list of routes that are forced over the VPN tunnel when on split-tunnel VPN?
  • If the service is dynamic, can your VPN service split-tunnel by domain name instead?
  • Can the IP Restrictions be disabled temporarily?

Questions to ask – Purchasing

  • Do I need to purchase more licenses?
  • If needed, what is the turnaround time for getting quotes, going through the purchasing process, and delivery of hardware/software?
  • Can I RMA my hardware in the event of a hardware failure?
  • Is the VPN hardware under support, or do we have spares to replace failing hardware?
  • What is the SLA on support contracts?
  • Are any vendors RMAs dependent on near-time sourcing that could be impacted by current world events?

Conclusion

Hopefully you won’t have to force the entire company to work from home, but it is a good idea to have something in place in case this happens. Stay safe out there, and happy remote access!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.