VPNs: What Do They Do, and What Don’t They Do?

Virtual Private Networks, or VPNs, are not exactly a new technology. When I started my career in IT about 15 years ago, VPN tunnels were the standard way we connected remote offices by extending private networks over the public Internet. Recently, as workforces continue to decentralize due to the rise of Cloud Computing as well as the current pandemic, VPN has become an even hotter topic and is being marketed as a critical security solution. As you might imagine, a 30-second ad praising the virtues of VPN doesn’t exactly tell the whole story. Like any other technology solution, VPNs are not all-encompassing. You probably have many good reasons to utilize a VPN, but I wanted to take a few moments to outline what VPNs can specifically do for you as well as areas where VPNs may not address your specific security and privacy needs.

Benefits and Reasons To Use a VPN

While reviewing every detail about VPNs is beyond the scope of this blog, let’s talk about a few common reasons for utilizing it:

1. Creating some privacy when transmitting data between distinct locations – Every time you connect to the Internet, whether you are going to Google, watching Netflix, or sending an email, you are transmitting data over the public Internet. Just like when you drive your car from one place to another, you are almost always using public roads and highways to go from point A to B. A VPN “tints the windows,” so to speak, so that when your data goes on those public highways, a bad guy can’t necessarily see what the traffic is. Maybe they see that traffic exists, but it is typically encrypted to be unreadable.
2. Working around some filters – Sometimes, a VPN can be used to route traffic in a different way and make a service think I’m connecting from somewhere geographically different to my actual location.
3. Control over remote connections – If a VPN is required to create a remote connection between the client and the service like your servers or data located in a central location, then an administrator can also limit connections from unauthorized third parties such as former employees. By cutting off that VPN connection, you don’t have to worry that their computer or mobile device is accessing data to which they are no longer authorized to have access.

The key here is that VPNs route traffic with a layer of encryption that allows for the free exchange of data between two points regardless of geographic locations and the device being used. Sounds good, right? Well, just deploying a VPN solution will leave you with some serious blind spots, so let’s go over a few of the things VPNs don’t do. After that, I’ll briefly discuss how you can use this information to make good decisions about comprehensive security and risk management. https://twitter.com/TripwireInc/status/1283691803829469185

What a VPN WON’T do for you

1. VPN solutions don’t protect against an account being broken into – Between your home life and work life, you are probably using a variety of technology solutions such as Microsoft Office 365 for email, maybe a web-based CRM, an accounting application, or even a tax software where you keep your income tax information for filing. A VPN could encrypt data between two points, but if your authentication information is insufficiently secure, a hacker could get in and start snooping around for data or commit fraud.
2. A VPN won’t do anything to protect your team from phishing attacks – Phishing is on the rise because it’s cheap and effective. It also circumvents many common security tools and is a direct attack on personal vulnerabilities, as opposed to technical vulnerabilities. When you volunteer information after clicking a bad link or allow malware to be installed by being tricked into it, a VPN won’t do you much good.
3. A VPN is unlikely to improve speed or performance – While a good VPN solution will likely not hurt your connectivity, a bad one could make things worse. Some VPN solution providers make claims about performance improvements that are dubious at best.
4. A VPN will do nothing to address insider threats – When we extend a corporate network by using VPNs to give users access to technology assets, we are giving them the keys to the castle, so to speak. Once someone takes data back to their home PC over their VPN connection, for example, you don’t necessarily know what they are going to do with it. If they took that data and put it on another unauthorized device or share it with people that they aren’t supposed to, your VPN will be of no help.
5. A VPN won’t address any vulnerabilities on the devices themselves – Creating a series of VPN tunnels could create a strong private network where you could feel confident that data transmission is private and controlled. However, if the servers, desktops/laptops, and other devices have flaws that haven’t been addressed, or if those devices are in a non-supportable state, you could experience a data breach through those vulnerabilities regardless of the VPN. In fact, you could make the case that VPNs aren’t really addressing the right risks for certain organizations with aging technology infrastructures.

VPNs are one of many valuable tools you can use to protect the security of your systems and the privacy of your data, but they must be just a single part of your overall technology management strategy. One thing I always say is that there is nothing without risk. Everything we do carries with it a risk of failure or loss. The goal of risk management is to minimize this risk. I fear that the marketing behind VPNs and other security products could lull people into a false sense of comfort that moves them away from a comprehensive approach. Decision makers who are tasked with avoiding the pratfalls of technology need to view strong security as minimizing risk on multiple levels: People, Devices, and Networks. VPNs primarily address Networks, so as you evaluate your technology tools in place, especially as the new normal of the workplace requires changes to it, never stray from the idea of comprehensive security that seeks to address risks from multiple angles and areas.

---

About the Author

Image

: Ben Schmerler is a Director of Strategic Operations at DP Solutions, an award-winning managed service provider (MSP) headquartered in Columbia, MD. Ben works with his clients to develop consistent strategies not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.