VPN under load: what to check when the whole office went home

Companies that moved most of their staff to remote work in March 2020 found themselves in a situation most IT teams had not prepared for. The VPN works. But it works under overload, unstably, and often with settings that were adequate for five people on business trips - not for a hundred simultaneous connections.

This creates two problems at once: operational and security-related.

The operational problem

Most corporate VPN gateways have licensing or hardware limits on the number of simultaneous sessions. When the limit is reached, new connections are rejected or degrade.

Even if the gateway handles the session count, the channel may be saturated. Everything - critical business traffic, email, Teams, and the YouTube video someone is watching in the background - flows through one tunnel. Split tunneling, which routes only corporate traffic through the VPN, is not configured in most companies.

The security problem

The mass shift to remote work is not only an operational challenge. It is an expansion of the attack surface over a few weeks. A few specific risks:

Home devices and networks. An employee connects from a personal laptop that was never updated and never managed by corporate IT. Or from a work laptop over a home Wi-Fi router that was last updated four years ago.

Weak passwords and no MFA. Many companies still use only a password for VPN access. With credentials being compromised regularly, that is an unacceptable risk level for an externally exposed service.

COVID-themed phishing. Attacks using the coronavirus topic spiked sharply in February and March. Employees under stress and in an unfamiliar environment click on links they would have avoided in normal circumstances.

Loss of visibility. When traffic goes through a VPN tunnel directly to the internet with uncontrolled split tunneling, the IT team loses monitoring. An incident can go unnoticed for longer.

What to check right now

A few concrete questions for the manager responsible for IT:

1. What is the maximum VPN capacity in simultaneous sessions - and how many are in use right now?
2. Is multi-factor authentication enabled for all VPN users?
3. Are all employees connecting from devices managed by corporate IT - or are some using personal devices?
4. Does the IT team have visibility into what is happening on connections - at least basic monitoring?
5. Has there been a recent briefing for staff on phishing and safe behaviour while remote?

Short-term measures

If the answers to some of these questions are unsatisfactory:

• Priority one: MFA for VPN. This is a fast and meaningful measure that reduces the risk of credential compromise.
• Restrict VPN access to only what is genuinely needed. If the finance team does not work with production systems, they should not be able to reach them through the VPN.
• Remind staff to be careful with links and attachments. It seems obvious, but it works.
• Check that critical backups and event logs are not only flowing through infrastructure that is now harder to access.

This is not a final solution. It is the minimum that reduces risk during the acute phase.