What is a VPN?
Virtual Private Networks, explained
A Virtual Private Network (VPN) is a service that encrypts your Internet connection in order to provide you with two things: data security and user authentication. By masking your Internet Protocol (IP) address, a VPN hides your location and the nature of your Internet traffic. This is especially important when using a public WIFI hotspot, where tech-savvy malfeasants can easily eavesdrop on your Internet activity. Using a VPN is a bit like riding through the city in an armored car rather than on a motorcycle.
Individuals also use VPNs to access Internet resources meant only for those living in a certain geographical area. A VPN can allow you to access subscription TV shows and movies available only to viewers in India, for example, rather than just those offered in the U.S. VPNs also mask your browsing history from your Internet service provider, since any activity you perform on the Internet will be associated with your VPN server’s IP address instead of your own. In theory, with a VPN no one has visibility into your online activity.
How VPNs work
VPNs use encryption to scramble data for its journey through the Internet. An algorithm or cipher determines the nature of the encryption, then encodes the data, rendering it unintelligible while it’s in transit. There are currently three cryptographic algorithms in use: symmetric, asymmetric, and hashing. Each of these protocols has its strengths and weaknesses.
Symmetric encryption makes use of a shared key to both encrypt data prior to sending to or from a VPN server, and to decrypt data upon arrival. Symmetric encryption is widely used and slows Internet traffic less than asymmetric encryption. It’s like locking your briefcase with a key you keep at home and unlocking it at work with an identical key.
Asymmetric encryption, also known as public-key cryptography, uses one key for encryption and another to decrypt. Since this method of encryption involves some rather heavy computation, it typically slows down the Internet user experience. This is like locking your briefcase with a key you keep at home and unlocking it at work with an entirely different key.
Hashing turns a message of any length into a coded message of a defined size. You can turn the word ‘at’ or the entirety of Shakespeare’s collected works into a hash of 256 or 512 bits, for example. Hashing is a one-way proposition; it can’t be ‘un-hashed’ so it’s not used for message encryption per se, but rather to help verify that an encrypted message has not been tampered with en route. Comparing hashes at point of departure and point of arrival assures message integrity. It’s bit like putting a wax seal on an envelope to deter tampering.
VPNs are not the only answer. Newer technologies such as MobiKEY deliver similar results with greater security. Find out more
How VPNs don’t work
There are two classes of problem with VPN technology: technical and security-related. Technical issues manifest most strongly when there is huge demand for VPN traffic, like during the recent coronavirus when so many people were working from outside of the corporate network. The root of the problem is that VPN is a 1990s technology, conceived with 1990s-level Internet traffic in mind, that involves transferring data out of your organization’s security perimeter.
VPN technical problems
Slow speed – VPNs need to encrypt and decrypt data, which slows them down. In the case of employees being required to access cloud resources like Salesforce from within the network, the VPN sits between users and Salesforce, forcing encryption between the user and the VPN gateway, and then further encryption between the gateway and the cloud software—a twofold reduction in speed.
Chokepoints – VPN servers act as chokepoints due to speed of encryption/decryption, but also because they were not designed to handle the traffic of a large percentage of an organization’s workforce. Rather than network security stacks verifying Internet traffic, all traffic is forced through VPN gateways, which were never engineered to handle such a high volume of traffic. VPNs struggle to keep up and sometimes fail entirely.
Chokepoints – VPN servers act as chokepoints due to speed of encryption/decryption, but also because they were not designed to handle the traffic of a large percentage of an organization’s workforce. Rather than network security stacks verifying Internet traffic, all traffic is forced through VPN gateways, which were never engineered to handle such a high volume of traffic. VPNs struggle to keep up and sometimes fail entirely.
Moving data – The biggest technical issue is also by definition a security issue: to function, VPNs require that data be moved out of the secure corporate network and onto remote devices. This means that users’ devices should be thoroughly secured, which typically means that users must use enterprise- or government-furnished equipment rather than their own devices. But if such a device is lost or stolen, the data it contains is still at risk.
VPN security problems
Because VPNs involve moving data, that data is automatically put at risk. While using a VPN is definitely more secure than not using a VPN, the technology has some notable security problems.
VPN server vulnerabilities – VPN servers can be vulnerable to attack. In January 2020, the Department of Homeland Security issued a National Cyber Awareness System Alert1 regarding the vulnerability of over 14,000 VPN servers worldwide. Some have since been patched, while at time of writing others have not.
Brute force decryption – A brute force attack is an attempt to break a code or password by trying every possible combination of numbers, letters and symbols in order to find the key that will unlock the message or application. This takes huge amounts of computing power. Edward Snowden’s leaked documents revealed that the NSA, as an example, was able to obtain VPN keys in this way back in 2013.2
Brute force decryption – A brute force attack is an attempt to break a code or password by trying every possible combination of numbers, letters and symbols in order to find the key that will unlock the message or application. This takes huge amounts of computing power. Edward Snowden’s leaked documents revealed that the NSA, as an example, was able to obtain VPN keys in this way back in 2013.2
Stolen key decryption – Hackers can and do steal encryption keys or passwords that give them root access to VPN servers. This allows them to launch a variety of attacks against the network. In one recent breach, hackers exploited an insecure server remote-management tool used by a VPN company to manage a leased server. 3
If not VPNs, then what?
If VPNs aren’t secure enough for your liking, then what can you use for truly secure remote work? Start by identifying technologies that enable remote work without moving data outside of the network perimeter.
There are two classes of truly secure VPN alternatives that don’t involve moving data:
Managed cloud workspaces, which require organizations to make a wholesale move to a software-as-a-service (SaaS) subscription-based work environment for all employees who connect to the corporate network. Managed workspaces keep data within the network perimeter, which should safeguard it for remote work, assuming that two-factor or PKI-based authentication is properly implemented. However, all employees and contractors must work within a subscription-based workspace within the office and without.
Inside-out remote work sessions established over Transport Layer Security (TLS) cryptographic protocols. This occurs when an asset such as a desktop computer, laptop or virtualized computer within the network perimeter establishes a mutually authenticated TLS session with a device that is outside of the perimeter. This is the case with Route1 MobiKEY.
1CISA Cyber Infrastructure Alert (AA20-010A),January 2020
2Revealed: how US and UK spy agencies defeat internet privacy and security, The Guardian, September 2013
3Hackers steal secret crypto keys for NordVPN. Here’s what we know so far, ArsTechnica, October 2019