Although VPNs offer many benefits, you need to evaluate the very real and distinct limitations before you put a VPN in place.

A VPN connection offers flexible secure communication options, but it does not ensure quality of service. A VPN link is dependent upon the stability, throughput, and availability of the ISP connection, as well as the intervening network connections between endpoints. VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets. This also results in a lack of dedicated bandwidth between business sites because of the volatility of the Internet.

Fragmentation occurs when a packet’s size exceeds the size allowed on a segment of the network or Internet. The too-large packet is broken or fragmented into smaller packets that meet the size limit. Traffic congestion on a network is similar to rush hour traffic on most highways. During peak times, more traffic (packets or cars) attempts to join the artery (bandwidth on a wired or wireless device, or physical highway), which causes all traffic to significantly slow down because capacity is greater than the highway (network or physical) can support. This slowdown affects both network traffic and employee productivity. A malware or denial of service (DoS) attack against the network shares some common behaviors with traffic congestion, which can be dangerous if an administrator mistakes an attack for congestion.

Although VPNs are excellent solutions over nearly every broadband connection option, a VPN can be difficult to maintain over dial-up. In more rural areas, dial-up connections are still in use and may be the only alternative to wireless communication. VPN traffic is encrypted, and encrypted traffic does not compress. Most dial-up modem connections rely on compression—mainly hardware compression—to improve connection speed. When compression is not possible, a significant and noticeable speed reduction occurs. Additionally, VPN tunnel management can impose a significant increase in management overhead because of changes in protocol headers, potential authentication latency, and a prolonged connection establishment negotiation.

Another area of concern is the minor risk or potential of data exposure while in transit over the Internet. This is only a real concern if the VPN does not use strong encryption or configures the encryption improperly. Proper security management will eliminate this as a serious concern.

Vulnerabilities exist at VPN endpoints. With a VPN, side attacks against the encrypted link are nearly eliminated. However, data entering or leaving the VPN is at risk. An end-user computer could be infected by malicious code that can traverse the VPN link into the company LAN. Also, private and confidential data from the company LAN can be copied across the VPN link to the end-user computer. On this computer, that data is less secure and subject to a wider range of threats.

You should also consider the increased difficulty in providing technical support remotely. This is especially true when the remote connection is not functioning. In addition, it is more difficult to keep remote systems in compliance with security settings, conduct training, allow supervisory oversight, enable HR management, and monitor user activities.

An even larger concern is granting open or blanket unrestricted network-resource access to those connecting via VPN. You must enforce stronger authentication and authorization limitations on VPN users, especially on VPN telecommuters. Remote users should have access only to those resources necessary for their current tasks. Unlimited access to network resources can quickly result in exploitation and confidential data leakage if the remote user or the remote computer is compromised.

If you understand these limitations and address each properly, you can help to avoid catastrophic mistakes when correctly installing and productively using VPNs. One of the primary tools to accomplish this is the VPN policy.