VPN: A security panacea?

By Avery Moore

Senior Director/Security

Jazz Solutions, Inc.

Does using a VPN mean you are secure??

With the holiday season upon us, you may find yourself away from home and forced to use an insecure network and/or a public Wi-Fi. While you are thinking about holiday get-togethers, you should also be thinking deep thoughts about your information security. One topic sure to elicit conversations and opinions is the virtual private network, or VPN.??

NIST defines a VPN as “[a] virtual network built on top of existing physical networks that can provide a secure communications mechanism for data and IP information transmitted between networks or between different nodes on the same network.” Put more simply: It’s a secure tunnel.??

There are three basic VPN architectures:?

1) connecting a remote office to a main office?

2) connecting remote workers to the office (or to office/work resources)?

3) securing the internet connection on a consumer endpoint such as a laptop or mobile device.??

This article focuses on the last model.??

There’s a lot of hype right now about consumer VPN services. You’ve probably seen the ads that proclaim things like stay safe online, browse the web anonymously, keep your personal info secure, encrypt your data, protect your privacy, hide your traffic, etc.?

While a VPN certainly provides some or all of the above in certain ways, it’s important to know how they work, the situations where they are most useful, and why you want to use one in the first place.?

What a VPN does?

A consumer VPN client establishes an encrypted session (or a “tunnel”) between the endpoint (i.e., your laptop) and the VPN server hosted by the VPN provider.??

This encryption occurs on the laptop, securing data that is transmitted through the connected network. The connected network cannot see the contents (your secret data) of that traffic, but it can see the existence of that traffic. The encrypted tunnel also ensures that any unencrypted session cookies, DNS queries, and other potentially unencrypted data communications are not visible to the local network. A typical internet session without VPN could comprise connections to many different IP addresses but connecting to a VPN can limit that connection to only one, thereby shielding, to some extent, your internet activity (i.e., the sites you visited) from anyone snooping on the local network.?

The laptop must still use an IP address and the connected infrastructure (Wi-Fi, switches, routers, proxies, firewalls) to get the encrypted/encapsulated packets to the VPN server. So, you’re not completely hiding.??

Why you should use a VPN?

Using a “hostile” network?

You’ve heard that connecting to public Wi-Fi can be dangerous. You can accidentally connect to a fake hotspot. The Wi-Fi service might not encrypt your session between your laptop and the Wi-Fi router, potentially exposing your data. And it can be a means to pick up some malware. A VPN can provide a modest increase in your security in these situations.??

VPN services typically all use “strong encryption,” meaning they ultimately use Advanced Encryption Standard (AES) algorithms to encrypt the traffic between the hosts. In the case of an unencrypted hotspot, the VPN encapsulates your traffic going in and out of that hotspot, protecting your sensitive data from prying eyes.??

Attackers can use man-in-the-middle attacks or rogue hotspots to try and intercept, decrypt, read, re-encrypt, and then forward your traffic to its destination. But even if an attacker is successful with this method, using a VPN’s encrypted tunnel, they wouldn’t be able to see the data inside your encrypted packets.??

Public Wi-Fi is not without risk, but the above attacks are somewhat rare. Attackers have a much easier time attacking you remotely, sending a phishing email, or using one of your re-used passwords than trying to attack you from close physical proximity.??

Connect to the Internet from another location?

VPNs allow you to appear as if you are in another location, including another country. This can be useful if you want to access streaming content that is unavailable in your location (geo-restricted). Using a VPN means you don’t have to hop on a jet to binge some previously unreachable content, though it should be noted that some content providers may prohibit this type of activity and block IP addresses coming from VPN providers.?

What a VPN won’t do?

A VPN doesn’t automatically make you anonymous on the internet.?When connected to a VPN, your laptop still needs to use the internet infrastructure to which you are connected to get to the VPN server. You leave a footprint of your activities, and they can be traceable. Additionally, the websites you visit can still do the usual tracking via cookies and other means. This is far from anonymity.??

A VPN can’t automatically protect you from malware?if you use the VPN connection to visit questionable web sites. Unless there are other features enabled, an encapsulated session will allow you to visit malicious sites to your heart’s content.?

A VPN won’t keep you from falling for a phishing email.?Many phishing emails use social engineering to convince you to take action. No amount of encrypted tunneling can keep you from falling prey to being deceived.??

A VPN won’t make your internet connection faster.?The VPN connection cannot go any faster than your existing internet connection.??

And finally, a VPN is not a one-click security panacea that makes you?safe. VPN is a tool that, when accompanied by other tools and properly used, can enhance your security.??

Do you trust your VPN provider??

The VPN provider touches all of the traffic you send to it and, therefore, has the ability to view everywhere you go on the internet. The VPN provider can view all previously unencrypted traffic, because they are terminating their encrypted tunnel and sending the traffic to its ultimate destination. The provider may not be able to see all your traffic, such as encrypted web traffic, but they can see where you’re connecting from and what sites you’re visiting. What they do with that data can determine just how much privacy you really have. Examine your VPN provider’s privacy policy and other security-related documentation. If they log your sessions, what are they logging, what are they doing with the logs, and how long are they keeping it? Check to see if your VPN provider has been audited or assessed by an independent third party against standards such as ISO 27001 or for a SOC 2 Type 2 report. This can provide some assurance that they are actually doing what they say they are doing. And VPN providers that have been in business for a while can garner more trust than a relatively new provider, so do your homework when considering using a VPN.???

You get what you pay for … probably?

Free VPN services often sell users’ personal information to pay for that “free” offering. So, though you might be a little more secure online, your VPN provider may be tracking your moves and selling your data -- the very thing you’re trying to protect against. Be wary of free VPNs. It has often been said that if you aren’t paying for the product, you are the product.?

VPN is a good choice but not a panacea?

Using a trusted VPN service with a good reputation and privacy policy can be an excellent addition to your security toolbox. But understand what exactly you are trying to accomplish with a VPN and use it as a complement to other good security practices, such as good password management, multi-factor authentication, etc.?

#vpns #technology?#IT #softwareengineering?#userexperience #security?#securityprofessionals #software?#riskmanagement?#malware #techblog #JSL