VPN: The perfect solution or a loose cannon?
VPNs (Virtual Private Networks) are often presented as essential tools for ensuring online security and anonymity. However, behind this promise lie some lesser-known realities that are worth exploring. Let's find out together the real benefits and potential risks of using VPNs.
In 2020 Oplon Networks classified VPNs as non-usable and we worked to provide an alternative to securely access an organization’s services and data.
VPN technologies are typically used for the following purposes:
-
VPN to connect to corporate services: connects one's devices, Personal Computer, Smartphone, Tablet or the like to internal services, infrastructure and data of a company or organization
-
VPN to connect multiple datacenters together
-
Home-VPN that masks IP address during Internet browsing
Oplon Networks proposes the alternative to VPNs for connecting one's devices to enterprise services and infrastructure (as in case 1).
The paper also describes the characteristics of VPNs to connect multiple datacenters to each other (as in case 2) or those commonly used to hide one's IP address (case 3).
Thus we’ll try to give a comprehensive overview of the technology and dispel some commonplaces.
A little bit of history
The VPN technology was developed in 1986 for ensuring safe connections on public networks. After the introduction of IPsec, efforts were made to close some initial security gaps by improving encryption and authentication.
However, despite this progress, VPNs still present significant risks.
Indeed, through VPNs corporate data can be exposed to potential attacks or to unauthorized access.
1) VPN to connect to corporate services
VPN technology allows an encrypted channel to be built between one device and the datacenter network.
Each device using a VPN makes the device “part” of the datacenter by assuming an Internet Protocol (IP) address that allows it to reach the datacenter networks to which it connects.
To the question: is the encrypted channel secure from external attacks or intrusions?
The answer “Yes” is only a half-truth.
The device, either personal computer or mobile, actually has an encrypted connection to the outside but creates an open channel towards the datacenter for any virus that is in the PC, which is free to infect all services, archives, documents in the datacenter and is able to empower an attacker to do so deliberately leaving only few traces.
To confirm this, just think of the fact that all VPN vendors urge having up-to-date devices with an active antivirus, which also needs to be up-to-date.
VPN and 2FA/MFA (double/multi-factor authentication)
Many times the purpose is to add multi-factor authentication to VPN in order to empower protection. In fact, as the above explanation shows, by doing this the only security is the identification of who has infected the datacenter. And however, this is not certain as well, should the attacker have deliberately infected and then deleted the traces.
In the light of this explanation, today VPNs for the connection to corporate services are the biggest vehicle for ransomware attacks and illicit data collection. It does not provide adequate device security guarantees and trace of the encrypted communication.
Segmentation strategy (network based ZTNA)
Even if we use the network segmentation as a strategy, as many ZTNA solutions based on the connection do, the problem is still there.
The problem arises when you establish a direct connection between your device and the datacenter.
If you are asked to install software on your device to make the connection, it is probably a masked VPN. In contrast, if you are asked to use only the browser to access and view services, it means that you are using a modern and very secure system. This is because the browser does not create a direct link between you and the service, but merely shows what is happening in the datacenter.
It is precisely on this principle that Oplon Secure Access was developed.
If the PC is infected by a virus non detected by the antivirus and uses a VPN or ZTNA based on direct connections, the virus can spread to the accessible service and subsequently to other related systems.
For the VPN connections or ZTNA based on connections to corporate services we can list the following features:
-
VULNERABLE DEVICES = RISK FOR THE NETWORK:
- Malware and viruses in the device might take advantage of the connection created by the VPN in order to access the datacenter systems
- Attacks can compromise data, services and sensitive archives
- Not all viruses are detected by antiviruses, even if they are updated antiviruses
-
MAIN CONSEQUENCES:
- Spread of malware and infections in the network
- Loss of critical and confidential data
- Operational disruptions due to targeted attacks
-
VPNs PARADOX:
- They protect the external channel but open the way for insider threats undetectable by antivirus.
2) Use of VPNs to connect two datacenters
The use of VPNs to connect two datacenters through a private network is a common solution for improving data share or backup and the communication between distributed headquarters.
However, this configuration introduces some critical security issues.
The VPN technology, by its nature, implements many-to-one connections instead of a direct one-to-one relation.
Advantages
- Ease of connection between complex infrastructures
Critical issues
- The many-to-one nature in this context may allow parallel, unauthorized connections if access keys (e.g. digital certificates) are compromised or accidentally forgotten in the IT technician’s device who installed them;
- Risk of covert connections: IT staff with high turnover could create unauthorized configurations, increasing the risk of covert access;
- Malware and viruses on the device of covert connections can exploit the VPN connection to access datacenter systems;
- Attacks can compromise sensitive data, services, and archives.
Consequences
- Safety often depends on the good faith of operators.
Which is he alternative to connect datacenters without VPNs?
The technology that has been designed to mitigate the problem introduced by the use of VPNs in datacenter connections is IPsec.
With IPsec, unlike a VPN, once a connection is established between two points, it is no longer possible for anyone to connect further while using it.
IPsec is a one-to-one communication and there is no possibility of making backdoors to which to make covert connections.
IPsec is a single armored tunnel that connects only two points and does not make fraudulent third-party connection possible.
For the sake of completeness, however, we should point out that with IPsec you still do not prevent viruses from migrating from one datacenter to another
3) Home-VPNs: Security and anonymity?
Home VPN connections, often promoted as tools to ensure anonymity while browsing in order to appear to be “someone else,” do not actually ensure complete anonymity online.
It is important to understand that, on the Internet, absolute anonymity does not exist.
Currently, modern Internet browsers already establish connections through encrypted channels using the highest encryption standards available so there is no need to have a VPN to protect your browsing information.
-
Browsers have the most secure level of encryption supported by the service they interface with, and as a result the transmission and reception of data while browsing is inherently secure, even without using a home VPN.
-
Below, the drawing highlights that without a VPN the browser and the service talk with an encrypted channel and no one other than the service can intercept the data being exchanged. Modern browsers already offer this protection; in fact, tools such as HTTPS automatically encrypt connections, providing a high level of security even without a VPN.
Note: The design is simplified, there may be several HOPs (passing between different networks) before reaching the destination on the service. However, the encryption remains unchanged and currently non-violable.
A home VPN channels data traffic by hiding the user's IP address and applies filters on accesses in their Personal Computer. In any case, encryption with the service is handled only by the user's browser. As a result, home VPN does not guarantee total security or absolute anonymity. The VPN service can monitor and block the user's choices precisely because it has visibility of them. Basically, you choose to be spied on by the VPN provider instead of an Internet provider!
Note: With VPN the data is still encrypted from the browser to the end service, only your IP address is masked! If you think about it, it can only be this way, otherwise the VPN provider could also see your data in the clear and you would not be able to use e.g. client digital certificates from your browser.
Who knows your interests WITHOUT a home-VPN?
When browsing without a home VPN, the “entities” who know your interests are the Internet providers and those who provide us with the names of the sites we want to visit (DNS). Ultimately, who knows your passions and preferences in normal browsing without a home VPN are summarized in the table below:
Who and what do you know about your interests without a VPN for home use?
| IP Address | Username/Subscription | Server name to which we want to connect | Exchanged contents | PC contents | |
|---|---|---|---|---|---|
| Connectivity provider | YES | YES | YES | NO | NO |
| The Internet name catalog provider (DNS provider) | YES | *NO | YES | NO | NO |
| Each final contacted service | YES | No if you have not logged in the website | YES | YES | NO |
Other note: with home VPN, they will normally ask you to install some thing on your device that serves to keep your device under surveillance from any Viruses, among The services some assure that it will block access it deems dangerous and give you anonymity of your surfing.
All good? Half as good as usual.
Meanwhile, to keep your Personal Computer adequately protected usually the powerful antivirus already present in some platforms such as Microsoft (Microsoft Defender) is sufficient. This means that installing another third-party antivirus usually disables Microsoft's antivirus in favor of another player.
Another consideration is that loading something on your Personal Computer that blocks and limits the visibility of Internet services can lead to market distortions, those who pay the most will be visible, the others you won't even know exist or even think are dangerous.
This used to be called “censorship” and done by private interests or institutions can be deviant. This is not a far off hypothesis it is an absolutely real hypothesis that happens every day.
The idea that the VPN can mask browsing goes away, since the VPN provider knows everything about you especially if you install anything on your PC: location, installed programs, photos, documents and more. Many VPN software, as soon as it is installed, scans devices to classify content, often without properly informing the user or immersed in rivers of words about the contract. has context menu
Is it legitimate to trust software that accesses your personal data in your PC systematically and continuously?
Using a home VPN, the VPN provider has complete access to your browsing habits you choose online to often has access to your PC. This represents a significant difference from a direct connection made with just your browser to the service.
When the provider of a home VPN states in contracts or web pages that it does not store browsing data, this is already an admission of risk, don't you think? This implies blind trust, with no guarantee that data will not be processed or exfiltrated.
Who and what do you know about your interests with a VPN for home use?
| IP address | Username / Subscription | Server name to which we want to connect | Exchanged contents | PC contents | |
|---|---|---|---|---|---|
| VPN provider | YES | YES | YES | NO | YES,if scanning software is installed |
| DNS provider (usually the same as VPN provider) | YES | YES | YES | NO | YES, if scanning software is installed |
| Each final contacted service | NO | No, if you have not logged in the website | YES | YES | NO |
When using a home VPN we are potentially in the hands of a private company, just like an Interner Provider. Information is money and the selling of information is often done not by the companies in a systematic way but by the personnel who are in a position to have the data! Companies try to guard against this by imposing specific policies but the reality is that it is almost impossible to do so with today's technology.
When can a home-VPN be useful?
For example, when you don't want to pay for a subscription of services, when you want to appear as a user from a different nation to the end service, when you want to use a service not available from the nation from which you connect, when you want to escape authoritarian systems...but beware someone can sell you data and normally authoritarian systems are willing to pay them very well and when you go through a home VPN you concentrate all your choices and interests and often The contents of your PC in one operator.
Conclusions
Oplon Networks in 2020 decided to invest in non-invasive technology that uses only the browser to be able to access its business services without installing anything on your device. Oplon Secure Access covers the functionality of accessing its business services by eliminating the VPN.
For the other two purposes where VPN is used today one solution to connect two datacenters is already on the market and that is IPsec. On all operating systems IPsec is present. For the use of home VPNs for hiding your source IP address, we have only listed the critical issues and opportunities, it is up to you all to choose to use the paid ones, the free ones or not to use them at all.
On the Internet forget the fairy tale of not being tracked, you can only choose who you are spied on by