Researchers have found a strong correlation between remote work practices and the cost of a data breach. Specifically, data breaches partly caused by remote work cost 1 million USD more than breaches that don’t involve remote work. Virtual Private Networks (VPNs) are crucial in securing remote access, a fundamental remote work activity. To pick the right VPN for your remote work activities, you must know which VPN features provide the most value for your business.
In this article, I’ll explain how a VPN works, especially as it applies to remote work. More importantly, I’ll discuss why small and medium-sized businesses (SMBs) need a VPN. To start, let’s go over how VPNs work and why they matter to you.
A Quick Recap on How VPNs Work
Before I discuss how VPNs work, you must know that three main types of VPNs exist in the wilderness. These three types are site-to-site, remote access, and host-to-host. Remote access is the most widely used type among SMBs. As such, we’ll focus on remote access VPNs in the succeeding sections. Whenever I say “VPN”, I’m referring to a remote access VPN.
So how does a VPN work? A VPN secures the connection between a user/client device and a VPN server. You can typically find that VPN server, or VPN gateway, deployed at your company network. The advantage of VPN technology is that it provides remote users secure access to resources in your company network.
You can also find a slight variation of the remote access VPN architecture offered as a cloud-based VPN service. In this setup, a VPN service provider sits between your remote users and your company network. Some of the features mentioned later apply more to this particular setup. I’ll indicate whenever the discussion relates to a cloud-based VPN service.
Moving on, every VPN has 2 fundamental features. These 2 features greatly enhance remote access security:
1. Authenticates Users, Devices, or Both
Before a user can send or retrieve data through a VPN, that user must first authenticate with the VPN server. This process ensures that only authorized users can access your internal network. Some VPN solutions also authenticate devices.
2. Encrypts Data-in-Transit
Data-in-transit refers to data traversing a network such as the internet. Encryption renders this data unreadable. Even if attackers intercept encrypted data in transit, they can’t retrieve any usable information.
Why exactly are these 2 security controls important? You’ll find out in the next section.
Why You Need a VPN
Remote users often need access to resources in your company network. Perhaps they need to retrieve certain files, use a remote desktop, connect to your mail server, etc. Your company network contains sensitive information and mission-critical processes. This means your digital assets will be at risk if an attacker gains access to it. For this reason, you need to ensure that only authorized users have access. A VPN’s authentication features help you do that.
Attackers can also eavesdrop on your users’ remote sessions. Doing this allows them to snag confidential data like usernames and passwords. Attackers can then use those credentials to gain initial access to your servers. After gaining a foothold, they can perform “lateral movement” to access other parts of your network. If you conduct remote sessions through a VPN, eavesdroppers won’t succeed. A VPN’s encryption feature renders any sensitive data, including login credentials, unreadable.
With remote working now here to stay, SMBs must expect constant threats from internet-based eavesdroppers and other malicious individuals. A VPN can help you counter these threats. But it’s not enough for a VPN to support authentication and encryption. To meet the needs of modern business environments, SMBs must look for the following VPN features too.
Top 11 Must-Have VPN Features in 2022
I picked the following VPN features based on their relevance to SMB operations. VPN solutions architected for SMBs like KerioControl, NordLayer, and Surfshark support most of, if not all, of these VPN features.
1. Secure VPN Protocol Support
This is arguably the most important VPN feature. Your VPN protocol determines what cryptographic, authentication, and key exchange methods you’ll use when establishing a VPN connection. Since you have several VPN protocols to consider, remember that some of them aren’t secure. Determined threat actors can break certain protocols, such as PPTP and L2TP, which are now considered obsolete.
To achieve maximum protection, look for a VPN solution that supports secure VPN protocols like IPsec, WireGuard, OpenVPN, or SSTP. These four protocols support strong cryptographic elements that hold up well against current attacks. They also support remote access, so they’re all good for SMBs.
2. DNS Leak Protection
A DNS leak can happen when your VPN fails to obscure domain name system (DNS) requests from your ISP. This flaw will allow prying eyes at your ISP to view your IP addresses and other pertinent data. To clarify, your data-in-transit is still encrypted. However, this data will get exposed once it reaches your ISP. In any case, it defeats the purpose of using a VPN if people outside your company can analyze your activities.
The advantage of a DNS Leak Protection feature is that it prevents DNS leaks from happening. It’s a valuable feature because it prevents attackers from gaining insight into your online activities. The less bad actors know about your internet activities, the more difficult it’ll be for them to devise an attack. Most SMBs can’t afford dedicated leased lines. Therefore, if you want complete privacy, your VPN must provide it all the way—DNS Leak Protection makes that possible.
3. Kill Switch
VPN connections, like any network connection, suffer occasional disruptions. In these instances, users get disconnected. But some VPN solutions have multiple VPN servers backing them up. These solutions automatically redirect connections to the nearest active server. Unfortunately, sometimes a device will temporarily connect to an insecure internet connection.
That brief moment of exposure is sometimes enough to leak sensitive data. You can prevent that situation using a VPN with a “kill switch”. This feature prevents devices from switching to an insecure connection whenever the VPN connection fails. SMBs rarely have dedicated IT staff who can monitor network health and resolve issues. For this reason, network and VPN disruptions can happen from time to time. A kill switch can ensure you don’t suffer any data leaks during those instances.
4. Multiple Server Locations
Some SMBs have remote workers connecting from overseas. These users experience a drop in VPN performance due to latency. Latency is an undesirable network condition that worsens as the separation between two endpoints widens. It’s common in wide area networks (WANs) like the internet, where thousands of kilometers often separate users and servers. Latency can cause your remote desktops to respond sluggishly, and your file transfers to take longer.
Some cloud-based VPN service providers strive to reduce latency by deploying servers across multiple countries. The wider a VPN provider’s coverage is, the greater the chance your users can connect to a VPN server nearby. When choosing a VPN service provider, find out where they host their servers. When your remote workers are close to VPN servers, they’ll get optimal connection speeds.
5. Static IP Address
VPN clients can have either a static or dynamic IP address. A static IP address doesn’t change, while a dynamic IP address does. Since static IP addresses are unique, you can use one alongside IP whitelisting as an additional access control for your VPN. An IP whitelist is a list of IP addresses a VPN looks up when a VPN client requests access.
Only client devices with their IP addresses in the whitelist will have access granted to them. A VPN client will have difficulty gaining access if its IP address constantly changes, so dynamic IP addresses won’t work. Not all VPNs support static IP addresses, though. If you want to use client IP addresses to control access to your SMB’s network, look for a VPN that supports static IPs.
6. Cross-Platform App Availability
The rising adoption of bring-your-own-device (BYOD) programs has brought various device platforms into the workplace. While most SMB employees use Windows, others prefer macOS or Linux. Some employees even use mobile platforms like iOS or Android. How would these users connect to your VPN? Given a choice, they’ll likely want to connect through those very same platforms.
As such, this can be easy for them if your VPN solution has cross-platform app availability. Users would then have the option to install VPN client applications for their desired platform. Yes, most platforms already have built-in VPN clients. But these clients often lack VPN features provided by your VPN solution’s official apps. If users stick with your VPN solution’s official apps, they’ll use the same interface. The uniform interface will also simplify troubleshooting should the need arise.
7. No-Log Policy
“No-log” refers to a policy where a VPN solution deliberately avoids storing log data. You likely wouldn’t mind if your self-managed VPN solution stores logs. However, if you’re using a cloud-based VPN server, that’s another matter altogether. One of the reasons SMBs use a VPN is to protect their organization’s privacy. It would defeat the purpose if your service provider could just view your log data.
If you have to use a cloud-based VPN service, look for a service provider with a no-log policy. Some providers have to temporarily store certain logs to monitor service performance. Find out what types of log data they store and for how long. Connection logs might be acceptable since the provider can use them for monitoring performance. But if a provider stores traffic and usage logs, you might want to look elsewhere.
8. Statistics and Reporting
Statistics and reporting VPN features help you track your organization’s network activity. Some VPN solutions can show you, for example, which applications consume the most bandwidth or which websites users often visit. These statistics can inform your decision-making whenever you update your network policies.
Some VPN solutions can even send reports via email periodically, like daily, weekly, or monthly. This reporting feature can save time while also keeping you on top of things. Bear in mind that a no-log policy can limit the amount of data your VPN collects and reports. As to which feature is more important, this largely depends on your organization’s priorities.
9. High Availability
High availability (HA) refers to VPN features that minimize downtime when a VPN fails. VPN failure can happen due to several reasons. A misconfigured network interface card (NIC), a failed upgrade, or a memory issue are some of the reasons a VPN can crash. SMBs rarely conduct preventive maintenance, so a VPN crash can happen anytime.
HA is crucial in a VPN because remote users can’t connect to your internal network if a VPN crashes. In turn, users can’t accomplish tasks, and your business will suffer productivity loss. Therefore, look for a VPN with HA capabilities, like a failover function that switches control to a backup system if your main VPN fails. This way, you’ll keep your remote workers connected and productive.
10. Router Support
To enable VPN access to a device in your internal network, some VPN solutions require you to install VPN software on that device. That’s fine if you only want to access one or two internal devices. Many SMBs, however, have multiple devices in their internal network. Installing and maintaining VPN software on each device isn’t very efficient. Installing VPN software on your router would make things much easier for you.
That way, every single device behind that router would have protection from your VPN. Your small IT team or designated “IT guy” can also benefit immensely from this setup. Deploying, configuring, and managing a VPN on your router instead of each endpoint device can a lot of save time.
11. Split Tunneling
Split tunneling routes some traffic through the VPN and the rest through a regular connection. In most cases, you’d route traffic bound for your internal network through the VPN. Likewise, you’d route internet-bound traffic, like those for email, web browsing, etc., through a regular connection.
The main reasons for using a split tunnel are to reduce the VPN’s workload and maintain optimal speeds for web-based processes. SMBs can’t afford unlimited bandwidths, and VPNs can slow down network traffic. VPN features like split tunneling can keep your internal network secure and web-based processes in optimal condition.
Summary Table of the Top 11 VPN Features
Here’s a summary of the top VPN features we discussed. Feel free to use it as a reference in the future should you need it.
|Benefits for SMBs
|Secure VPN Protocol Support
|Supports secure VPN protocols like IPsec, WireGuard, and OpenVPN
|Ensures attackers can’t easily compromise your VPN connections
|DNS Leak Protection
|Hides DNS data from your ISP
|Prevents attackers from gaining insight into your online activities through DNS data
|Prevents your device from reconnecting to an insecure connection during a momentary interruption
|Prevents attackers from gaining a window of opportunity during a brief interruption
|Multiple Server Locations
|Provides users with multiple servers to connect to
|Ensures users experience optimal connections regardless of their location
|Static IP Address
|Enables VPN clients to have a static IP address
|Enables you to enhance remote access security by adding access controls like IP whitelisting
|Cross-Platform App Availability
|Provides VPN clients for various platforms
|Allows you to provide VPN services to users regardless of whether they’re using a Windows, Mac, Linux, iOS, or Android device
|Doesn’t store log data
|Enables you to achieve complete privacy
|Statistics and Reporting
|Provides statistics and reports, usually accompanied by data visualizations
|Informs your decision-making when developing network policies
|Provides features that ensure high levels of uptime
|Reduces the frequency and length of disruptions caused by VPN failures
|Supports VPN installation on certain routers
|Simplifies VPN deployment and management while protecting all connected resources behind the router
|Provides the ability to route specific traffic through the VPN
|Maximizes bandwidth consumption and prioritizes VPN protection to traffic that needs it the most
Alright, time to wrap things up.
In this article, you learned 11 key VPN features every SMB VPN should have. These VPN features secure remote access, provide a good VPN UX, and simplify VPN administration.
Security-focused VPN features minimize risk when users access your internal network. They prevent data leaks, reduce downtime, and enhance access control. UX-focused features ensure users have an optimal experience whenever they use your VPN. Lastly, administration-focused VPN features help IT staff save time when deploying and managing your VPN.
SMBs that seek to implement remote work will almost surely use a VPN. Knowing which features to look for in a VPN will help ensure a good ROI.
If you encountered any questions during your reading, feel free to check out the FAQ and Resources sections below.
Are VPNs as important as firewalls?
Yes, they are. VPNs and firewalls address different types of threats. VPNs mainly thwart network eavesdroppers and prevent unauthorized access to your network. On the other hand, firewalls prevent unwanted traffic from entering your network. They also prevent lateral movement by enforcing network segmentation. In most cases, you’ll need both a VPN and a firewall.
Why should I avoid the PPTP VPN protocol?
Point-to-Point Tunneling Protocol (PPTP) is already considered obsolete. It uses old and weak cryptographic elements that attackers can easily break. Attackers can also subject a PPTP VPN to bit-flipping attacks, where data gets altered at the bit level, and DDoS attacks, which can cause your VPN server to crash. MS-CHAP, the authentication method employed by PPTP, is also easily crackable. This vulnerability allows attackers to steal login credentials.
Aside from seeking a provider with multiple VPN server locations, what can I do to address latency issues?
You can implement WAN optimization. This is a technique or solution designed to improve network performance in a wide area network (WAN). WAN solutions employ one or more techniques like deduplication, caching, compression, and traffic shaping. Some examples of WAN optimization solutions include Exinda Network Orchestrator, Riverbed Steelhead, and Cato SASE Cloud.
What is a site-to-site VPN?
A site-to-site VPN is a VPN architecture connecting two networks, such as your HQ network and your branch network. You can use it to enable users in one network to access servers, files, applications, and other resources in another network and vice versa. Unlike remote access VPNs, a site-to-site VPN doesn’t require installing VPN clients on each endpoint.
What is a host-to-host VPN?
A host-to-host VPN is a VPN architecture that connects a host with another host. One host is usually an end-user device like a laptop, PC, phone, or tablet. The other host is usually a server. IT staff normally employ this VPN architecture to connect remotely to a server for administrative purposes.
TechGenix: Guide on OpenVPN
Discover the mechanisms, benefits, and drawbacks of OpenVPN in this guide.
TechGenix: Guide on WireGuard VPN
Learn what WireGuard is in this introductory guide.
TechGenix: Article on L2TP VPN
Explore the various aspects of L2TP VPN in this article.
TechGenix: Guide on SSTP VPN
Dive into all the relevant concepts associated with SSTP VPN in this guide.
TechGenix: Guide on VPN Services
Find out which VPN service is best for your business in this comprehensive guide.