As the coronavirus spreads, many companies are requiring employees to work from home, putting unanticipated stress on remote networking technologies and causing bandwidth and security concerns.
Businesses have facilitated brisk growth of teleworkers over the past decades to an estimated four million-plus. The meteoric rise in new remote users expected to come online as a result of the novel coronavirus calls for stepped-up capacity.
Research by VPN vendor Atlas shows that VPN usage in the U.S. grew by 53 per cent between March 9 and 15, and it could grow faster. VPN usage in Italy, where the virus outbreak is about two weeks ahead of the U.S., increased by 112 per cent during the last week.
"We estimate that VPN usage in the U.S. could increase over 150 per cent by the end of the month," said Rachel Welch, chief operating officer of Atlas VPN, in a statement.
Businesses are trying to get a handle on how much capacity they'll need by running one-day tests. For example, JPMorgan Chase, Morningstar and analytics startup Arity have tested or plan to test their systems by having employees work from home for a day, according to the Chicago Tribune.
On the government side, agencies such as National Oceanic and Atmospheric Administration and NASA have or will run remote networking stress tests to understand their remote networking capacity and what the impact will be if they add thousands of new teleworkers. About two million people work for the government in the U.S.
To help stave off congestion in cellular data networks, the Federal Communications Commission has granted T-Mobile temporary access to spectrum in the 600MHz band that's owned by other licensees.
T-Mobile said it requested the spectrum "to make it easier for Americans to participate in tele-health, distance learning, and telework, and simply remain connected while practicing recommended 'social distancing'."
Last-mile internet access may become congested in areas that rely on wireless connectivity, some industry players warn.
"Bottlenecks are likely going to exist in hard-to-reach areas, such as rural locations, where internet access relies on microwave or wireless infrastructure," said Alex Cruz Farmer, product manager for network intelligence company ThousandEyes, which makes software that analyses the performance of local and wide area networks.
"The challenge here is that the available bandwidth is usually much less via these solutions, as well as more latent. We have seen a very small number of platform-related issues or outages due to increased loads, although those have since been resolved."
For its part, AT&T said it has noticed shifts in usage on its wireless network, but capacity has not been taxed.
"In cities where the coronavirus has had the biggest impact, we are seeing fewer spikes in wireless usage around particular cell towers or particular times of day, because more people are working from home rather than commuting to work, and fewer people are gathering in large crowds at specific locations," AT&T said in a statement.
"We continuously monitor bandwidth usage with tools that analyse and correlate network statistics, which reveal network trends and provide us with performance and capacity reports that help us manage our network."
Verizon says it hasn't seen a measurable increase in data usage since the coronavirus outbreak, despite a jump in the number of customers working from home.
"Verizon’s networks are designed and built to meet future demand and are ready should demand increase or usage patterns change significantly. While this is an unprecedented situation, we know things are changing, and we are ready to adjust network resources as we better understand any shifts in demand," the company said in a statement.
Verizon has been monitoring network usage in the most affected areas and pledged to work with and prioritise network resources to meet the needs of hospitals, first responders and government agencies.
It also announced plans to increase capital spending from between $17 billion and $18 billion to between $17.5 billion to $18.5 billion in 2020 in an effort to "accelerate Verizon's transition to 5G and help support the economy during this period of disruption."
Enterprise VPN security concerns
For enterprises, supporting the myriad network and security technologies that sit between data centers and remote users is no small task, particularly since remote-access VPNs, for example, typically rely on residential internet-access services over which businesses have little control.
But IT pros should try to verify that these connections meet enterprise standards, according Tom Nolle, president of CIMI Corp.
"The home broadband elements, like the ISP and DNS and Wi-Fi, should really be part of a business certification of suitable networking for home work," Nolle said. "I find that DNS services like Google's are less prone to being overloaded than ISPs' services, which suggests users should be required to adopt one of them. OpenDNS is also good."
The security of home Wi-Fi networks is also an issue, Nolle said. IT pros should require workers to submit screenshots of their Wi-Fi configurations in order to validate the encryption being used. "Home workers often bypass a lot of the security built into enterprise locations," he said.
Education of new home workers is also important, said Andrew Wertkin, chief strategy officer with DNS software company BlueCat.
"There will be remote workers who have not substantially worked from home before, and may or may not understand the implications to security," Wertkin said. "This is especially problematic if the users are accessing the network via personal home devices versus corporate devices."
An unexpected increase in remote corporate users using a VPN can also introduce cost challenges.
"VPN appliances are expensive, and moving to virtualised environments in the cloud often can turn out to be expensive when you take into account compute cost and per-seat cost," Farmer said. A significant increase in per-seat VPN licenses have likely not been budgeted for.
On the capacity side, systems such as DHCP, which doles out IP addresses, could come under stress with increased remote-access use. "It doesn't matter if there are enough licenses for VPN if the devices connecting cannot obtain network addresses," Wertkin said. "Companies must test for and understand choke points and start implementing strategies to mitigate these risks."
Along those lines, enterprises "may have to validate the number of SSL sockets their data centers can expose for use, or they could end up running out," Nolle said.
Paul Collinge, a senior program manager in the Microsoft Office 365 product team, raised similar concerns.
Network elements such as VPN concentrators, central network egress equipment such as proxies, DLP, central internet bandwidth, backhaul MPLS circuits, and NAT capability are put under enormous strain when all employees are using them, Collinge wrote in a blog about optimising Office 365 traffic for remote staff. The result is poor performance and productivity coupled with a poor user experience for those working from home.
ThousandEyes' Farmer said enterprises might have to increase the number of VPN concentrators on their networks.
"This way, remote-user connectivity is distributed across multiple VPN endpoints and not concentrated," he said. If that's not an option, businesses may have to open firewall ports to allow access to essential applications, which would enable them to scale up, but could also weaken security temporarily.
Can VPN split tunnelling help?
Industry players are divided on the use of split tunnelling to minimise coronavirus capacity concerns.
VPNs can be set up to allow split tunnelling, where only traffic intended for the corporate network tunnels through the VPN, BlueCat's Wertkin said.
The rest of the traffic goes directly to the internet at large, meaning it isn't subject to the security controls imposed by the tunnel and by tools within the corporate network, which is a security concern. This could lead to remote users' computers being compromised by internet-borne attacks, which could in turn put corporate data and networks at risk.
Despite this, Microsoftlast week recommended split tunnelling as a way for IT admins to address its Office 365 service becoming congested due to an influx of remote users. In the advisory, Microsoft offers a list of URLs and IP addresses for its points of access and describes how IT can use that information to route traffic directly to Office 365.
The VPN client should be configured so that traffic to identified URLs/IPs/ports is routed in this way, according to Collinge. "This allows us to deliver extremely high performance levels to users wherever they are in the world.”
ThousandEyes' Farmer said increased use of remote access VPNs might call for a review of network security in general. "[For] enterprises that are still using a legacy network security architecture, it may be time to consider cloud-based security options, which could improve performance for remote workers and diminish the overall use of the enterprise’s WAN circuits."