What is a VPN? Security and Privacy, Up To a Point

VPN client on a cell phone and a laptop
madskip / Pixabay

Virtual Private Networks (VPN) have been around for roughly thirty years. They provide secure communication between two networks, even over the public internet. What is a VPN? It’s how you communicate in public but retain privacy.

What is a VPN?

It has been estimated that VPN use in the United States has increased by almost 66 percent since March 2020, and by 165 percent globally in that same period. This is entirely due to the lock-down and work-from-home policies introduced to help combat the COVID-19 pandemic. They’re very much flavor of the month. Let’s see what makes them tick.

A VPN is a network connection often, but not always, made across the internet. The internet is a public-facing, open infrastructure. But because only authorized users and devices can join the VPN connection, the connection is private. Encryption of the data provides another level of security. Even if the network traffic was captured and analyzed, the packets would be unreadable because of the encryption.

It’s as if a closed and secure tunnel has been placed between the two endpoints, and the data travels safely through this impenetrable tunnel. This effectively provides a private network over the public infrastructure of the internet. Because the authenticated, encrypted tunnel is a software-based connection between two physically unconnected networks, it is a virtual private network.

VPNs are commonly used by remote workers to securely access the corporate network. This type of connection is established between a software VPN client on the remote worker’s computer or laptop, and a VPN-enabled device, usually a firewall, at the corporate premises. This provides a connection that is completely encrypted, end-to-end.

By contrast, consumer VPNs create an encrypted tunnel between a software client supplied by the provider and one of the provider’s servers. The final network hop from the provider’s server and the final destination is not secured.

Consumer VPNs

VPN providers maintain a network of servers around the globe. When you connect to their VPN network you are connected to one of these servers. A server is chosen automatically by the VPN client, according to your location. Sometimes VPN providers allow you to nominate a server to connect to.

The communication between your computer and the VPN server is private, encrypted, and secure. However, your destination isn’t the VPN server. Your destination is whatever web resource you are trying to connect to, such as a web site, cloud storage, or email server. And it is important to understand that the last portion of the connection between the VPN provider’s server and your actual destination is once again transmitted over the public internet.

You will retain some anonymity because whatever you connect to will see the IP address of the VPN server, and not your own IP address. The VPN server acts as a digital middleman between you and your actual destination. This also masks the ultimate destination IP address from your internet service provider, adding to your privacy.

Two important factors to consider are how many VPN servers your provider has in their network, and what the transmission speed through their servers is. Some VPN providers offer a free tier, where they limit you to connecting to a small subset of their servers, and at reduced speed. If you want more choice of servers and higher throughput, you need to move to a paid subscription.

You can find VPNs that are advertised as being completely free, but these should be treated with caution. If a service on the internet is free, it is free because you are the product. There have been cases where free VPN providers have logged all of the connection information and sold it to content marketing agencies, which completely defeats the purpose of using it.

It’s also important to check how many devices you can install the VPN client on. It’s not uncommon for people to own a computer, a laptop, a tablet, and a cell phone, so make sure your subscription permits enough installations of the client to cover all of your devices. Wi-Fi services in coffee shops, hotels, and other places are often completely unprotected, so it is important to use a VPN when you’re using these services.

The more servers a VPN provider maintains the less chance you’ll have of hitting speed degradation due to congestion. Some providers allow you to choose which server you want to connect to. This can be useful if a particular web asset, such as a streaming service, refuses connections from your location. You can digitally “change country” by connecting to a VPN server in a country that is permitted to connect to the website in question. The website will see the IP address of your VPN provider’s server, think you are based in that country, and will accept your connection.

While we’re talking about geography, be aware that the governments of some countries—such as Russia and China—have strict laws regarding VPNs and what you can do with them, if anything. Take care to establish what is legal and acceptable in your locality.

A consumer VPN can be used to:

  • Present a different IP address to the service you are connecting to, to hide your identity.
  • Pretend you are in a different geographical location to overcome country-specific restrictions.
  • Mask your online activity from your Internet Service Provider.

A VPN can help you to:

  • Be anonymous and safe while using public Wi-Fi.
  • Be anonymous and safe while playing peer-to-peer (P2P) gaming or using file-sharing applications.
  • Reduce the amount of tracking that websites can perform on you.
  • Communicate securely if you are a journalist’s source, a whistle-blower, or a political dissident.

Corporate VPNs

Ever since computer networking existed, enterprises have faced the challenge of secure network communication over a public infrastructure that they don’t own and control. In the mid-1990’s Microsoft and U.S. Robotics collaborated on research that yielded the Point-to-Point Protocol (PTPP). In principle, and by any other name, it was the first VPN. It used old-fashioned screechy modems and a form of encryption that would not be sufficient for today’s needs, but all of the elements of a VPN were there.

The modern corporate VPN falls into one of two camps.

  • Remote Access VPNs – These allow remote workers or traveling staff members to access corporate networks and IT assets when they are remote from the company’s premises.
  • Site-to-Site VPNs – These are permanent links between different premises of the same organization. They provide continuous, encrypted network communications across the enterprise.

VPNs are provided using different implementation models.

  • IPSec – These VPNs are delivered across the internet using internet protocol security. This is a set of protocols that provide security and usually includes cryptography to encrypt the data.
  • MPLS – Multi-Protocol Labeling Switching is a packet routing technique that works across multiple protocols, sidestepping the problem you may have in getting connectivity between sites with different types of internet connectivity, which is the first advantage. The “label” is a small chunk of information that is added to the packet that means the routing equipment can see a packet’s destination without having to interrogate the packet. This speeds up routing decisions, which is the second advantage. An MPSL VPN is a VPN built on top of MPLS technology.
  • Cloud-Based – Also known as hosted-VPN or VPN as a Service (VPNaaS). A cloud-based VPN utilizes a cloud-based network infrastructure to deliver VPN services. They offer a globally accessible VPN through the provider’s cloud platform, without the requirement for VPN hardware or software clients at either end of the connection.

What VPNs Don’t Do

VPNs cannot make you safe from cyber threats per se. They can’t stop you from being infected by malware if you visit an infected site, nor if download a file that is actually a trojan with a malicious payload. They won’t know if the site you are visiting is a fraudulent copy-cat site.

VPNs serve a specific purpose and they serve it well. They should be viewed as one more tool in your cybersecurity arsenal.