Was a 100% Remote Workforce in your Network Diagram?

This article was originally published on TMCnet’s Cloud Computing Magazine on April 9, 2020

Just like that, the CEO said, “All employees will work remote until further notice,” and the network that was ‘transitioning’ to a next-generation architecture was product-tested overnight.  Many failed, and the result was a workforce unable to connect…

That scenario has turned real for companies like brokerage firm Charles Schwab Corp., which faces the challenge of moving upwards of 20,000 workers to a remote work model.

“Like many companies, we simply did not build into our plan the need to have the majority of employees work from home at the same time,” said Nigel Murtagh, executive vice president of corporate risk said in a memo that was reported by Bloomberg (News – Alert) News.  “We are in the process of building out that capability now, as quickly as possible.”

Not everyone will be in the same place as Schwab, but many enterprises are going to have the same struggle to meet the surge in demand for remote access.  What are some steps to take?

Tackling capacity concerns in the near term

Capacity for existing remote access solutions will be taxed.  Take steps to moderate the traffic impact by having clear guidelines on what’s allowed and what’s not allowed while using the VPN.  Explictly stating a ban on video streaming sites, like Netflix and YouTube, are ok; blanket policies blocking social media sites like Facebook (News – Alert) might be harder to justify if employees are trying to feel connected to impacted family members.

Apart from sharing guidelines, also consider how to implement those policies on a per user basis, if possible.  Consider using different/more restrictive policies for remote users to avoid resource contention.  What is the employee’s role?  What level of access to applications should they be given?  If the employee is a social media manager, they might actually need access to Vimeo, YouTube (News – Alert), Instagram and other communication channels to stay in touch with employees and customers.

Have a consistent policy managed by a centralized orchestrator, with resilient backup. 

Design for a distributed VPN footprint

Conventional network design for VPN services involves backhauling authorized user traffic to a central location where the VPN gear is located.  The first issue is too many legitimate users accessing the equipment looks no different than a malicious DDoS attack – too many requests, too little capacity can make the corporate VPN go belly up.  Racking and stacking new gear in the enterprise datacenter is impractical – there’s significant cost in trying to chase down the increased demand and no guarantee that addressing the access part of the equation necessarily solves the quality of experience for end users.

The leads in to a related problem:  Since many business-critical applications no longer solely reside in the enterprise datacenter, traffic that manages to get to the VPN is then sent back out over the internet to access cloud services and applications hosted in third-party datacenters.  The latency that VPN usage introduces can make some of these applications nearly unusable.

The performance issues with “tromboning” traffic is bad enough even in ideal conditions that employees often find workarounds that make the VPN irrelevant.  To prevent intentional (malicious) or inadvertent (COVID-19) Denial of Services effect on the VPN infrastructure, enterprises need to consider a distributed network architecture. 

What this means is the traffic from regional branches of the enterprise or partners and suppliers should be aggregated into regional hubs located in carrier neutral multi-tenant datacenters.  The hubs are connected together with SD-WAN networks that have an added benefit:  The entire application and security stack can be deployed closer to end users to enhance performance to enhance performance while maintaining centralized management and monitoring capabilities.

Leverage an analytics platform to shape traffic and security policies

The traffic patterns created by new remote work practices will also require a different approach to monitoring.  Separate network traffic, security and application monitoring make it difficult to properly assess performance issues.  Enterprises need to look to use analytics platforms that can make metric-driven correlations between networks, applications and third-party elements such as firewalls.

Integration of insights from these usually discrete systems will provide very valuable insights that can be used to shape future telecommute and security policies. 

For further detailed suggestions around employee education and training for work from home programs, go to the SANS organization for suggestions on best practices.

How can we help? 

We love talking about software-defined networks and the cloud! Let us know if we can help by filling out the form. Cheers!