Given the explosion in demand for remote work, we wanted to explain a technology that many of us use, but few in finance understand well. If you are working from home and connect to the office, you likely use a VPN. VPN stands for Virtual Private Network and is a technology that is as old as the internet itself.
While working from home you may have experienced applications running slowly or not at all. This can be frustrating, to say the least. As we have said elsewhere, a little technological insight can improve your ability to discuss your problems with IT and ultimately yield better performance and improve your ability to mitigate risk. That is our goal for this article.
Overview
To understand how a VPN works at a high level, one needs to have a basic understanding of networks. When you are at your corporate office, you will most likely be connecting to the corporate LAN (Local Area Network).
The LAN is just a name for a network that is not accessible directly from the internet and connects a limited number of computers and other resources located in close physical proximity to one another, together (such as those at your office location). Each organization will have at least one LAN of its own to which its computers are connected. Each LAN connects to the internet, which is in itself a type of network (WAN - Wide Area Network).
Generally speaking, one LAN cannot talk to another LAN, even though both LANs can (usually) connect to the internet. This is intentional, to isolate traffic and to help protect your resources. Consequently, when you are at home (the network at your home is also considered a LAN) and you need to access resources from your office network, such as a Remote Desktop server, network drives, etc. you need tools to first connect to the office LAN. This is where a VPN comes to the rescue.
Assuming your IT department allows remote connections, IT would typically:
- install some software on the corporate network that will listen for VPN connections and
- install some VPN client software on your laptop/home computer (depending on the type of VPN).
With this work complete, the client software can connect to the server software at the office and create a virtual, encrypted tunnel. All traffic destined for your office that would previously fail to move between the two LANs now flows through this virtual tunnel network.
It is important to understand that traffic flows from your LAN over the public internet to the office LAN and back again. That is why it is crucial that VPN has the P in its abbreviation - all data is encrypted so that nobody on the internet can intercept and decode the traffic. The diagram below shows the basic configuration of a typical VPN:
Finally, this VPN is temporary. The moment you disconnect, the tunnel closes, and the two LANs are decoupled again.
Performance
Although working remotely via a VPN is very similar to working locally at the office from a practical point of view, some major differences are important to understand to maximize your effectiveness and minimize frustration as it relates to performance and security.
We understand that many of you reading this only need a cursory overview. To really participate in a discussion with IT, however, you will need to know more. For those who just need high-level, we provide that first. Then for those with the patience and interest, we provide much more detail further on.
In Summary
If you are working from home over a VPN and experience poor "performance" there are 5 main items to consider:
- Throughput - the speed (both download and upload speeds) of your home network are likely to be slower than your office LAN. To test your speed, visit www.speedtest.net and note both the download and upload speeds. This is the variable people tend to focus on, but it is only a part of the story. Having said that, if you can get faster throughput inexpensively, and depending on the kind of remote work you will be doing, it might be worth considering. Learn more...
- Latency - given you are physically further from your office computers & servers, there is additional delay in communication. There is not a lot IT can do to fix this problem but it varies based on your actual location and the path the data travels to & from your office. Learn more...
- Congestion - what else is competing for use of your home bandwidth? Eliminate unnecessary uses of the internet (kids streaming Netflix etc.) and see if that improves your performance. Learn more...
- Routing - how much of your laptop's traffic goes over the VPN? Discuss this with IT as ideally when you are out of the office only your requests for data residing in the office should go over the VPN, not all your web traffic too. Learn more...
- Application Design - some applications assume immediate, direct connection to their required data. When that is not available, delays ensue. Be careful to advise IT if your poor performance is application specific or general. Learn more...
In Detail (click to expand)
There are five major attributes (simplified) that determine a network's performance:
- Throughput
You are probably most familiar with this attribute, usually measured in Mbps or Gbps (Mega or Giga bits per second, respectively). It refers to your network’s ability to move data around. The higher the number, the faster the data will travel between devices, and generally, the better the performance. Most corporate LANs have at least 1Gbps networks, however, some client devices might still connect to the server infrastructure at 100Mbps speeds.
Your home office might make use of a connection 10 to 50 times slower. Typical DSL or cable speeds are anywhere from 5 Mbps in rural areas to 500Mbps in cities. Also, consider that most residential internet plans are asymmetric. This means the throughput for download (like watching a Netflix movie or browsing the internet) is sometimes ten times higher than the throughput for upload (like sending an email). Therefore even though you may have a connection supporting 50Mbps download, it may only support 5Mbps upload. This can impact VPN performance significantly as you need to both download and upload data to and from the corporate LAN.
- Latency
Latency is a more obscure attribute but, in some ways, more important than throughput. A computer uses lots of transistors to switch electromagnetic waves on and off at great speeds (typically 1 - 4 billion times per second). The binary digits, or bits, your computer uses for communication is carried via these electromagnetic waves.
As you might recall from high school physics, light (which is an electromagnetic wave) propagates at the maximum speed of approximately 300 000 km/s in a vacuum. The electromagnetic waves in network cables, optic fibres, and other equipment propagate typically at about 66% the speed of light, or 200 000 km/s. This is important to know because it allows us to determine how long it will take for a packet of data to be sent from your computer to the server and getting a response back, also known as the round trip time (RTT). On a LAN, the physical distance between your computer and the server might be less than 100m. A quick calculation shows that:\begin{align*} RTT &= \frac{100}{200000000}*2 \\ &= 1\mu s \end{align*}
So for each packet of data your computer and server exchanges, it will take at least 1µs for the packet to make the round trip. Considering most communication requires a large number of small packets (due to the design of TCP/IP), this quickly accumulates. Simplifying a lot, to transfer a single 2MB document will require approximately 1400 packets of data. Ignoring throughput, latency would introduce an additional 1.4ms of delay. That does not sound like much, and therefore working locally on a LAN generally produces great performance.
However, if you are working from home, things change a lot. Your office might now be 200km away (not physically, but the route your packets travel through the internet via the VPN). Consider copying that same file:\begin{align*} RTT &= \frac{200000}{200000000}*2 \\ &= 2000 \mu s \\ &= 2 ms \end{align*}
Each packet now takes 2 ms to travel between your computer and the server, 2000 times slower. So that 2MB file will now have an additional 2.8 seconds of latency above, and beyond the time it takes to transfer the actual contents. This is certainly observable and can become highly problematic with certain applications.
- Congestion
When most staff are sent home like we are currently experiencing with COVID-19, a large number of people are concurrently connected via VPN. The corporate network might not be optimized for this amount of traffic, causing a degraded experience for all. Additionally, your partner or family member might be watching Netflix from home while you are trying to do some remote work, reducing the throughput, and possibly affecting your experience. Most home networks do not have traffic shaping enabled - something many corporate offices have implemented that allows certain traffic to have higher priority and not be impacted by someone else downloading a file or watching a movie.
Another cause of congestion is WiFi. Most people use WiFi to connect their home computers to the internet due to the convenience it offers. Due to the way WiFi is designed, when a client computer tries to send data to the internet via WiFi, that WiFi Access Point can only talk to that client at that point in time. Any other clients need to wait until the WiFi access point has finished transmitting data. This happens at a low level so it is not always apparent, and some modern WiFi access point support something called MU-MIMO, which allows the access point to talk to more than one device at a time. This becomes a problem when more than one person tries to access the internet, and the signal is not very strong. The effect is to amplify the congestion.
- Routing
There are two ways your VPN could be configured (usually by your IT department) when it comes to routing of traffic. When you connect via VPN, your VPN could:
-
route only the traffic intended for the office network through the VPN and all other traffic goes through your ISP’s modem (the ideal configuration), or
-
it could be configured so that once your VPN is connected, ALL your traffic gets routed through the VPN tunnel. That implies if you are watching a Youtube video or Netflix, all that traffic will flow through the much slower VPN tunnel. The end result is a very poor end-user experience and potential privacy issues since the organization will be able to see your personal traffic patterns.
It is therefore highly recommended that your IT department configure your VPN to only route traffic intended for the office through the VPN and all other traffic through your own modem. This will reduce the load on the corporate network, improve your privacy, and general remote working experience.
-
- Application Design
Applications are designed with certain assumptions in mind. Many applications assume the application is used on a LAN. Have you ever used Office 365 and opened a Word document in your local Word application from the online portal? It takes several times longer to open the document as it has to download the document first. Some other applications experience the same problems. CaseWare, for example, assumes it has a fast LAN connection between itself and the CaseWare file. If you use CaseWare on your local home computer and try to access a CaseWare file on your office network via VPN, the latency will have a dramatic impact on the performance. It is generally best to access the CaseWare application via Remote Desktop over VPN. That way, the CaseWare application is running on a server with Remote Desktop and is local to the network share. We discussed remote desktop in more depth here.
Security
There are some additional complications when users work remotely via a VPN. Usually, in the traditional corporate setting, IT has full control over all the devices that access network resources and protect them adequately. However, the moment a user connects to the server via VPN, the user’s home computer is connected directly to the corporate network as if the user took their PC and placed it directly on the LAN at the office (this is an oversimplification). That means, if the user’s PC is infected with malware, or is compromised, the attacker/malware now has access to the corporate network as well.
It is therefore paramount that users either:
-
patch their home PCs, install anti-virus software, and handle their PC as if it is a corporate PC. Each active VPN connection extends the corporate LAN and therefore increases the risk of exposure. Considering this fact, it is recommended not to leave VPN connected all the time unless your home network is secure. Or
-
Bring your work laptop home and use it to connect to your corporate LAN provided your IT department supports this decision.
A little bit of knowledge...
If you have further questions about your remote performance, be sure to discuss with your IT department. With your new-found understanding of the variables involved, you should be able to better answer their questions and participate in resolving your concerns.