Network Security, Vulnerability Management

The next remote access challenge: Seamless VPN roaming

One of the most persistent problems with connecting remotely from mobile devices to a corporate network today is ensuring consistent and secure coverage across all communications channels. For instance, we can now use Wi-Fi at airports, 3G in hotels, or LAN at a company's headquarters. This means a remote access VPN solution has to guarantee seamless roaming between all of these networks – without compromising security. Yet even so, seamless roaming solutions are still hard to come by.

As has been the case for the last several decades, employees who work exclusively from an office are becoming rarer, amplifying the need for more sophisticated remote access solutions. IDC predicts that the Americas will see the number of mobile workers grow from 182.5 million in 2010 to 212.1 million in 2015, thus using notebooks, smartphones and tablets to answer their emails or access data within the company network during a business trip or from their home office.

Rising demand for seamless roaming

Despite the clear advantage of seamless roaming, in practice, it is extremely difficult to continuously maintain a VPN connection. The reason is that most business notebooks are equipped with a wireless LAN module and a cellular network chip. They also have a LAN adapter for connecting to the company network via a wire-bound network, like a home office or a remote company site.

There are three ways for mobile devices to set up a secure VPN tunnel to the company network: the traditional wire-bound Ethernet LAN, wireless LAN (Wi-Fi) at public hotspots, as well as cellular network connections. For cellular network connections, the system has to support the following three technologies: the GSM network, 3G connections and high-speed connections via 4G networks.

Ideally, users should have the flexibility to move between these connections as necessary. This, however, forces a VPN to:

  • automatically support any change of communication medium;
  • dynamically redirect an existing VPN tunnel during a change of the medium; and
  • prevent session loss.

This is, in part, why seamless roaming between various types of networks and communication mediums is the rule, not the exception. Yet in today's mobile world, it's not uncommon to be faced with a multitude of connection types on any given day. For example, imagine you're traveling by train to a meeting with a colleague in a branch office. While awaiting the train, you're able to check email and edit documents by accessing the company network via the train station's Wi-Fi network. Then, while on the train, depending on the location, you can access a 3G connection, but occasionally, the transmission rate goes down to GSM level, and in remote areas, it even disconnects. Ultimately, when you reach the branch office, you access the company network via the local LAN or Wi-Fi network.  

Connection loss causes instable applications

Several remote access solutions or VPN clients will react to those network changes by disconnecting the VPN tunnel. The same happens when a connection is temporarily not available if, for example, you are passing through a region with poor reception of cellular networks. In such a case, most VPNs make you go through the time-consuming process of setting up a new connection and authenticating it again.

Perhaps an even bigger problem is that most network applications dislike changing network connections and the resulting short-term interruptions. If the system loses its physical connection to the server, network applications become unstable, potentially causing data loss.

This is where seamless roaming functionality can help. An essential requirement for seamless roaming applications is to ensure application persistence, restoring the state of the application prior to connection loss. Application persistence is also required when a connection changes from a faster to a slower communication mode – for example, from a Wi-Fi network with a bandwidth of 50 Mbit/s to a HSPA cellular network connection with 3.6 or 7.2 Mbit/s. In such a case, it is necessary to "calm down" the application in order to prevent data loss. Apart from that, it is essential to keep interruption during the change of communication medium to a minimum

Redirecting the VPN tunnel

With seamless roaming, to maintain the VPN tunnel during a change in communication medium, the system has to retain the tunnel's IP configuration. Here's how this works: as soon as the IP address changes, the system has to renew the VPN connection. In addition, the roaming of VPN connections requires IKE (Internet Key Exchange) protocols 1 and 2 to support the redirection of the VPN tunnels. IKE protocols are responsible for negotiating the encryption mechanisms and exchanging the keys in IPsec VPNs. With IKEv2, MOBIKE, an expansion that allows changing IP addresses of the host system, ensures the redirection of the VPN tunnel.

With MOBIKE, you are able to establish a VPN connection via a wire-bound LAN in an office, remove the network cable later on and continue to use the same VPN connection via a Wi-Fi network in a different room or building. The applications remain untouched by this change.

Connecting with the touch of a button

Another consideration for seamless VPN access via a cellular network is that the VPN solution automatically re-establishes the connection as soon as the network is available. This process has to be transparent to ensure that there are no operation errors. 

This also means the device does not have to constantly search for the “best” network connection, whether that's Wi-Fi or a cellular network. For the end-user, this means only having to click the connect button; the client software selects the appropriate communication medium which the network manager specified in the policies.

In a business world that is becoming increasingly mobile, seamless roaming is not a luxury but a necessity, and must be supported by VPN solutions in order to keep with the times. When already confronted by the economic landscape of the day, being restricted by technology is nothing a company can afford.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.