A Cross-Platform Always On VPN Solution for Ensuring Online Security

Abstract: This thesis examines the implementation of an Always On VPN solution for Windows 10 and macOS, focusing on the configuration of a Palo Alto Firewall to enable their GlobalProtect VPN as Always On. This means that the VPN solution is enabled on a device at all times. The primary objective of this thesis is to present a solution, where the GlobalProtect VPN is configured to be Always On for both Windows 10 and macOS devices. Furthermore, the objective is to evaluate the performance impact of the VPN solution on network throughput, packet loss, and jitter. The study compares performance in both AES 128-bit GCM and AES 256-bit GCM encryption modes, as well as performance without the VPN, to determine its potential impact on employee workflow. The employee workflow consists of file uploads of varying sizes across a single stream as well as multiple streams. Here, our study finds that performance is reduced with the VPN solution active and can limit upload speeds by up to 45% depending on the tested scenario. Jitter and packet loss can also increase by more than 50% for jitter and roughly 10% for packet loss. It is worth noting that the practical differences such as time lost through lower network throughput when enabling the VPN solution or added jitter and packet loss is till very low for the majoirty of the scenarios tested in this thesis.  Additionally, the thesis analyzes the functional and performance differences between Windows 10 and macOS when utilizing the VPN solution. Performance wise, the loss is similar between Windows 10 and macOS in certain scenarios but can differ in others. The thesis also highlights a significant limitation of the GlobalProtect VPN, specifically concerning its ability to enforce an Always On VPN experience on macOS devices. Unlike Windows 10, macOS users can still uninstall the VPN agent, posing challenges in ensuring continuous VPN connectivity. The thesis proposes removing administrative rights from macOS users as an optimal solution to prevent agent uninstallation and to maintain an Always On VPN experience with Palo Alto's GlobalProtect VPN.