If you’re responsible for helping secure mobile users on laptops, tablets or smartphones, a Virtual Private Network (VPN) needs to be in your toolbox. When end users are roaming around the world outside of protected enterprise networks, they are at their greatest risk level. Whether it’s on open Wi-Fi (the worst) or carrier networks (somewhat better), the list of threats is long and, unfortunately, very real.

A VPN connection can bring real security — but only if it’s a good one. VPNs can also be important to work around traffic blocks on guest and public Wi-Fi networks. You don’t want staff to be working at a client site and not be able to get their email, for example, because everything but ports 80 and 443 are being blocked, which is a common problem.

You can build a VPN server as part of your corporate IT offering, either at a data center or in the cloud. Or, you can work with one of the dozens of cloud-based VPN vendors, such as Samsung Secure Wi-Fi, to offer a service to your end users. When using cloud-based services, remember traffic is not protected from the VPN service in the cloud to your application servers. That gap shouldn’t be a problem if you have application-layer encryption to take care of the last mile and aren’t concerned about general internet snooping, but keep in mind the security differences and choose appropriately.

Here are some things to look for in a good cloud-based VPN connection … and some things not to worry about.

Traffic Coverage

Any VPN service must be able to cover 100 percent of the IPv4 traffic, including connection-oriented (TCP) and connectionless (UDP) IP. If you’re only protecting TCP, that leaves a huge, gaping hole for attackers to redirect and confuse end users. Look for IPv4 and IPv6 double coverage as well. Public networks, especially carriers, are frequently handing out both IPv4 and IPv6 addresses — and this trend is growing. If your VPN only covers IPv4, you could be sending unprotected IPv6 traffic without even realizing it.

Automation

You don’t want end users to have to think about the VPN; it needs to happen automatically and transparently. VPN client software should bring up the connection automatically whenever the user is roaming away from defined “safe” networks. You should be defining safe exceptions — when not to have the VPN — rather than trying to come up with all the unsafe networks. VPN clients that won’t work over carrier (non-Wi-Fi) networks or that consider encrypted Wi-Fi to be safe aren’t good choices. Pick a product that lets you establish the parameters for when and how connections will be made, and take that out of the hands of the end user.

Compatibility

Although IPSec is the standard for secured TCP/IP communications, many Wi-Fi networks allow only a limited set of services — and IPSec may not be one of them. The VPN client, therefore, has to be able to operate, in the worst case, over a Wi-Fi network that only allows TCP port 443, even though that’s an inefficient way to run a VPN. The best products are adaptive, trying to connect using standard ports and protocols and falling back to less efficient or non-standard communications when all else fails.

Security

Generally, security is one of those things you don’t need to worry about when it comes to VPN. Enterprise VPN connections don’t need to be proofed against traffic analysis for 20 years in the future, which means that requiring algorithms such as AES-256 will have the effect of slowing down communications without really changing your risk profile over AES-128. You certainly don’t want to be using deprecated crypto and hash algorithms such as MD5, RC4 or DES, but you also (probably) don’t need to go overboard here. That being said, if you have a choice and it doesn’t affect performance, always select the most secure encryption and hash algorithms available to you.

Diversity … and Legality

Some Wi-Fi service providers try to block VPN connections, so pick a cloud-based service that has multiple entry points and which can dynamically find one that works.

However, make sure you educate employees who are traveling abroad about potential legal issues with using VPN connections. In some countries, VPN software may need to be registered with the government or may be banned outright. You don’t want people to get into trouble when traveling just because they turned on their smartphone and brought up an automatic VPN connection. It’s unlikely to be an issue, but it’s better to be safe than sorry, so do your research first.

Finally, be careful of “Country Group E,” which includes (currently) Cuba, Iran, North Korea (DPRK), Sudan and Syria. Export control regulations from the US are complicated and confusing, but, in general, taking VPN software into these five countries can get you into hot water with the US government.

Device security is now a key pillar of businesses large and small in the process of growing their mobile footprint. Learn more about the future of mobile security in this webinar on the topic.