VPN Options For Your Startup
Not All Implementations Are Created Equal
From my previous blog post you may now know what a VPN can protect in your org from and have performed the risk analysis to determined that the need may lower our risk somewhat. We can now explore the architecture required to make a business decision to see if the benefits are worth the added overhead. To do this, we will need to look at how to implement exactly what we need to solve our problem. Unsurprisingly, this can vary dramatically in up-front cost and ongoing resource commitment depending on the exact needs of the org.
If you are only concerned with privacy on a laptop or mobile device, SaaS Cloud hosted VPN might be the ideal choice. This technology works by using software on your device to route the connection through an endpoint in a country of your choosing. You may have seen advertisements for this online, particularly on online video hosting sites in their ads.
Cloud-hosted VPN
Cloud-hosted VPNs are quite affordable, though they come with the following caveats:
· No access to your company’s private cloud
· No access to local data center files or applications
· No access to office, lab or research devices in your business location
Since you are ultimately not connecting the cloud VPN to your network or cloud, you cannot reach those resources. So what other options exist?
Hosting your own VPN in the office or local data center.
This is typically done on your firewall or a dedicated server. You may or may not be allowed to do this if you are using an incubator space and are leasing space that is using their networking equipment for the internet.
If you do choose to host a VPN yourself, what considerations can you expect? Well now that you can access your office equipment remotely, you are now able to do things like monitor lab equipment and control experiments remotely. In the past I have found this to be essential for on-prem GPU loads (think AI and ML in your local data center). This allows the users and administrators of this system to more easily keep and eye on issues and remediate them.
While that sounds great what are the downsides? Consider that now you own an additional tool and you will need to secure and administer it accordingly. Some things that you are now responsible for include:
- keeping on-site resources functional, care and maintenance
- securing the connection to your office and protecting the data and infrastructure from intruders
You will also have to partner with your IT team to determine the following:
WARNING: TECHNICAL JARGON AHEAD
Is this a single site or do you have multiple offices, labs and data centers?
The VPN will have to be engineered to be either “Split tunnel” or “full-tunnel”
Split tunnel is a method of telling computers that connect to the VPN what resources to traverse through the VPN. This requires programming such as routing rules and VLANs and will have to be performed by a technical professional.
Full tunnel connections route ALL traffic on your laptop indiscriminately through the VPN. This is simple and helps with privacy, but can choke bandwidth in an office. i.e. what would happen if several users forgot to disconnect from the VPN and all started streaming Netflix at once.
Will the VPN be set to “always on”? (yes/no). This is set up on the devices such that when a laptop boots up it will automatically connect to the VPN as soon as the network connection is activated.
The upside of this is that it is secure and simple for your users.
The downside is that your infrastructure in the office is now critically important. If it goes down/configuration change breaks systems then every employee is left without internet.
Based on the above, will you have to manage multiple VPN profiles? With this you can get the ideal configuration by having multiple options of the configuration settings listed above.
Upside - allows for granular configuration for users/department
Downside - requires streamlined deployment and ability to change rapidly as well as a higher cost to manage and implement
Other options besides a VPN:
EVEN MORE TECHNICAL JARGON
Is an SDWAN a better option? An SDWAN (Software-Defined Wide Area Network) is a software package that implements a connection from all your corporate devices to secure them and connect to resources. This requires a paid subscription but does offer a neat package available to smaller businesses while being capable of more rapid changes.
Using a VPN in China may get you into trouble should you travel while using one. As far as whether VPNs are legal or not in China, the 2017 amendment to Chinese law makes VPNs illegal unless approved by the PRC government.
Typically when asked, my advice to clients is to
not let yourself be the first to test the consequences of this law
collaborate with a knowledgeable IT professional and legal professional
work with an IT professional to make a plan for limiting the exposure of sensitive data through other means (burner device, cloud resources, risk assessment and action plan).
If you need local resources but don’t want the headache of hosting your own VPN, some devices allow connectivity VIA a cloud portal. These include:
Synology network attached storage device (often used as a lab data solution)
Network equipment like Meraki, Cisco, Juniper and Unifi
Some lab instruments and vendors such as Thermo Fisher
Just remember that in all these cases you have very little control over the interface and what functionality is possible. You must also consider that the vendor can shift and remove this functionality at their whim.
Conclusion
If you’ve made it this far you can see there is a wide range of options that will make or break a successful implementation of a VPN for your company. Align with your IT thought leader to see what best works for you today and tomorrow.
