What are the core security features to look for in a corporate VPN?

Virtual private networks, or VPNs, encrypt connections between company networks and remote users. They are a great way to secure the transmission of data between networked devices through an encrypted “tunnel” over the internet. There are lots of different VPN providers, and even a few competing protocols on the market. Depending on what you’re trying to accomplish, each of these solutions may have their own relative strengths and weaknesses, which raises the question: What are the core security elements you should consider when evaluating a VPN for your team or organization?

This article outlines some of the most critical aspects of VPNs that you should evaluate before making a decision. But first, it’s important to clear up a point that often causes confusion: the difference between what we call a “privacy VPN,” and a “corporate VPN.”

What are the key differences between privacy and corporate VPNs?

Individuals and organizations both use VPNs for privacy and security, but usually for different reasons. Individuals tend to use VPNs, sometimes called privacy or consumer VPNs, to encrypt their personal web traffic or access location-specific content and services. In addition to encrypting web traffic, companies typically also rely on corporate VPNs to create a private network of shared resources, devices, and services that employees can securely access whether they’re working from the office or remotely.

Privacy (consumer) VPNs

Privacy VPNs are geared toward maintaining privacy and anonymity online. This is done by routing encrypted web traffic through a proxy, located in a specific geographic location. This obscures the user’s original IP address, which helps assure privacy. Consumers often choose to use a privacy VPN to access content or services that aren’t available in their physical location. Other times, consumer VPNs are used to avoid firewall restrictions from the local network or internet service providers (ISPs). Consumer VPNs also help users prevent their online activities from being tracked or monitored either by their ISP or by the websites they visit.

Corporate VPNs

By contrast, corporate VPNs give employees access to an organization’s internal network or cloud resources. These are often known as remote access VPNs, and their primary aim is to make sure that employees can securely access things such as company databases, applications, files, and documents to carry out their day-to-day work.

Corporate VPNs can also be used to establish secure and encrypted connections between an organization’s offices, even across multiple locations, through the public internet — for sharing and accessing company resources. This type of VPN is referred to as a site-to-site VPN. For both remote access and site-to-site networking, an organization’s networked resources and data are protected from the public, and therefore from unauthorized access.

With that distinction out of the way, let’s turn to our main question: what security features you should consider when hunting for a corporate VPN.

What makes for a good corporate VPN?

When it comes to evaluating the core security capabilities of VPNs, there are three things to consider: Ease of deployment and configuration, identity management and SSO, supported protocols and encryption, plus a plethora of other smaller — but still important to have — features.

Ease of deployment and configuration

Corporate VPNs can help secure your data, but only if they’re set up correctly. This process can be a convoluted, labor-intensive and error-prone process, so finding a VPN solution that is easy to set up and deploy on devices should be a top priority. Here are some common problem areas.

Hosting and maintaining a VPN server (or gateway) can be challenging if you want to deploy a self-hosted instance as part of your on-premise infrastructure, as it may require a certain level of technical expertise and knowledge of Linux and networking to get everything working properly. Additionally, implementing a site-to-site VPN to establish secure communication between multiple offices or infrastructures could prove thorny, depending on whether you’re using a cloud instance or a self-hosted instance.

Another common problem area is getting the client, or software package, downloaded and installed onto every device in your network. Some solutions may require you to first log in from each device before downloading the client for each platform. An alternative approach is to share individual links for each client with every employee, which isn’t a great experience for anyone — especially for new employees.

You should also be aware that certain VPN solutions may be easy to deploy and not require any special skills, but other solutions (especially self-hosted ones) might require more expertise, such as basic Linux CLI skills. If you plan to start with a simpler implementation, then upgrade in the future, you should be sure that your team has the expertise to make it happen.

Another crucial factor is the ability to run on every device and operating system that you need it to, which may include Windows, Linux, macOS, iOS, Android, FreeBSD and even Network Attached Storage (NAS). Not every VPN offers support for every platform.

Identity management or single sign-on (SSO) capabilities

Like all systems, a VPN is only as secure as its ability to ensure that only authorized users can gain access to it in the first place. Using the principles of identity and access management (IAM), such as single sign-on (SSO), is critical.

Some corporate VPNs integrate SSO with identity providers (IdPs) such as Okta, Google, Microsoft AD, and OneLogin for user authentication and onboarding. If your existing identity management infrastructure includes any of these providers, your organizational onboarding should be simple. Something to bear in mind, however, is that not all VPNs support SSO for mobile devices, in which case users can only use the VPN on supported desktop systems.

If your IdP isn’t supported by your VPN, you can always look for a VPN that integrates with OpenID Connect (OIDC) compliant IdPs. In addition, some VPNs allow for a certificate-based client login, where your users can use certificates to authenticate both the client and the server, providing a secure and verifiable connection.

A VPN solution might handle authentication by assigning a unique network ID to each device that joins the virtual network. This network ID can be used to identify the device and determine what it has access to on the network. When a device joins the network, it must broadcast a network ID in order to connect, and the network ID is then verified against a list of authorized devices maintained by the provider’s network controller. If the device is authorized, it will be granted access to the network and assigned an IP address.

Supported protocols and encryption

You should also vet the types of protocols and encryption a VPN uses. Some of the key supported protocols and encryption methods used by many VPNs include Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for encrypting communications between the client and the server. The IPsec protocol is used for establishing secure communication over IP networks, which might be vulnerable to common attacks if not configured properly. Such solutions can also use modern variants of the Advanced Encryption Standard (AES) for data encryption, which is secure and virtually impenetrable compared to earlier versions.

Other VPNs may use proprietary solutions. OpenVPN, for example, uses its own open source protocol using the OpenSSL library for encryption and authentication, which is considered to be one of the most secure libraries available. It also uses SSL and TLS to encrypt client-server communications and an AES encryption standard to encrypt data at rest and in transit.

ZeroTier also uses its own proprietary virtual networking protocol, which is designed to be highly secure and efficient as it uses a combination of AES-256 encryption, elliptic-curve cryptography, and perfect forward secrecy (PFS) to protect data in transit. The encryption keys are exchanged automatically and securely between devices when they join the network, so there’s no need for manual configuration.

Extra security features

There are many additional security features available as part of most corporate VPN solutions. Depending on your use cases, these may be critical; in any case, they’re probably a good idea.

• Multifactor authentication (MFA): Using a VPN that supports MFA will give you an extra layer of security to protect your network and devices, and is highly recommended.
• Access controls and policies: Dialing in fine-grained permissions levels with access control lists (ACLs) enables you to enforce network access restrictions based on user and device profiles and helps you limit a user or group of users to specific resources on your network.
• Monitoring and alerts: An informative, near real-time monitoring dashboard, and text or email alerts, help keep you updated on security threats, including login attempts, suspicious network activity, and potential malware infections.
• DNS filtering: This can help ensure the security of your network by enabling you to block malicious, harmful, or inappropriate content, traffic, and websites.
• Network segmentation: Breaking down your virtual network into smaller sub-networks or zones allows you to restrict access to specific devices or services.
• Firewall-as-a-service (FaaS): This provides a secure barrier between the company’s network and the internet as a traditional firewall would.
• Threat and intrusion detection: Using an embedded product like Suricata implements threat and intrusion detection across your network, helping you be proactive in responding to threats.
• Secure device management: Being able to centrally manage all your onboarded devices helps make sure every device is up to date and in compliance with your security policy.
• Logging: Some VPNs provide detailed logging of network activity, which can be used to detect and respond to security incidents.

How does Tailscale measure up?

Tailscale is a software-defined networking solution that allows users to create virtual, private, and secure connections for their personal devices and shared resources. It allows users to securely connect to, and access, resources on their network — such as servers and applications — from anywhere in the world.

Tailscale is easy to set up and simple to use, with little to no manual configuration required. Tailscale runs on each device, and creates a secure mesh network between them, eliminating the need for traditional VPN gateways, aggregators, or complicated network configurations.

As it encrypts all traffic between devices and uses secure key management to ensure that only authorized devices can join the network, Tailscale is ideal for remote teams, distributed organizations, and anyone who wants to securely connect to their devices and resources from anywhere.

Ease of deployment and configuration

Tailscale can be installed on Windows, MacOS, Linux, iOS, and Android devices, and it can be deployed on-premises or in the cloud. Tailscale features an intuitive and easy-to-use web interface that allows users to manage, monitor, and troubleshoot their network, including adding or removing devices and controlling access to resources.

For most employees, joining their organization’s tailnet is as simple as installing the client on a device and logging in with a company email address. They don’t even need to create a ticket or contact an IT admin, allowing employees to self-serve their onboard process.

Identity management or SSO capabilities

Tailscale lets you use your existing SSO provider log in, making it easy to access your organization’s Tailscale network (tailnet).

Tailscale supports various SSO identity providers including Google Workspace, Microsoft Azure Active Directory, Okta, and OneLogin. Tailscale also supports custom OIDC-compliant identity providers.

Supported VPN protocols and encryption

Tailscale uses the WireGuard® VPN protocol, which is a relatively new protocol that’s designed to be fast, secure, and easy to set up. It’s considered to be more secure than other VPN protocols like OpenVPN and IPsec, and is also known for its high throughput and reliable performance.

Tailscale also uses strong encryption to secure data transmitted over the network. Specifically, it uses the ChaCha20 stream cipher for encryption, Poly1305 for authentication, and HKDF for key derivation.

Tailscale also supports PFS, which ensures that even if a long-term encryption key is compromised, past session keys will remain secure.

Extra Security Features

• End-to-end encryption: Tailscale encrypts all network traffic end to end, ensuring that data is protected from eavesdropping and tampering.
• Authentication: Tailscale uses public key infrastructure (PKI) to authenticate devices and users, ensuring that only authorized devices can join the network.

ACLs: Tailscale provides fine-grained access controls that allow administrators to grant and revoke access to specific devices and users.

• Logging: Tailscale provides detailed logging of network activity, which can be used to detect and respond to security incidents.
• Compliance: Tailscale supports compliance with various security standards such as SOC 2, HIPAA, and PCI DSS.

Download Tailscale, and give it a spin for free.