October is Cybersecurity Awareness Month, and the growing dependence on technology, coupled with the increasing threat of intrusion and cyberattacks, requires greater security in the online world. One source of security that many are turning to is the virtual private network, or VPN.
VPN is a technology that allows secure communication over the insecure public internet, essentially extending a user’s workplace network into their home network in a secure way, without letting their internet service provider, or ISP, or intermediate routers be able to monitor the content.
“When we use the internet to browse a website or send and receive emails, the data is divided into small chunks called packets, and these are routed via multiple networks and routers to and from different servers,” said Ragib Hasan, Ph.D., associate professor in the University of Alabama at Birmingham’s College of Arts and Sciences’ Department of Computer Science. “A VPN essentially creates an encrypted secure tunnel between the user and the destination server. The VPN software on the user’s computer encrypts the packets so that only the intended destination server can decrypt them. Anyone eavesdropping in the middle will not be able to see the contents of the packet and hence eavesdrop on the communication or monitor the webpages visited by the user.”
One common use of a VPN is private anonymous web browsing. In this mode, a webpage visitor’s request for the page is first sent to the VPN server over an encrypted connection. The VPN server retrieves the webpage, encrypts the page and sends back to the user over the VPN. Therefore, the ISP does not see the webpage URL or the individual pages visited by the user.
Benefits of a VPN:
• Reduces the risk of spoofing and phishing
• Prevents violation of privacy
• Allows for information access in restrictive countries
• Provides employees access to corporate networks without opening confidential work information to theft
What added security measures does a VPN provide compared to firewalls or other antivirus software?
A VPN has many added security benefits. First, it provides a high level of privacy to the users.
“Without a VPN, the ISP can monitor every website visited by the user,” Hasan said. “This information can be used to profile the user as well as be sold to marketers. In countries with repressive governments, this type of monitoring has often been used to identify and oppress dissidents.”
Hasan, director of the UAB SECRETLab, adds that a VPN can hide the user’s whereabouts or IP addresses from the websites. The website will only see the IP address of the VPN server and not the user’s actual IP address as the communication is routed through the VPN server.
“When a business user is using a public network or a hotel’s network to access their corporate email, they face the risk that their confidential communication or email contents/attachments may be monitored or accessed by malicious parties,” Hasan said. “With a VPN, the user can safely access the corporate network or email over an encrypted tunnel, which means the malicious eavesdroppers cannot record their confidential communication.”
A VPN allows users to evade regional censorship by oppressive governments. In many countries, oppressive regimes block access to information. A VPN can allow such blocks and let people access information freely.
Are VPNs necessary only for businesses? How necessary are they for general consumers?
VPNs are not only necessary for businesses, but rather useful for people who frequently use untrusted public network to access their content, according to Hasan.
This allows regular users to access websites or check emails without the fear that their activities or locations will be monitored, and their privacy violated. VPNs also reduce the risk of many attacks such as spoofing and phishing.
“As more users turn to working from home during and after the pandemic, a VPN is essential as it allows the user to access corporate networks without opening up the confidential work information to theft and monitoring by malicious parties,” Hasan said. “Users who work from home must use a secure VPN to access their corporate network.”
What are the limitations of a VPN?
As is any security technology, the security of a VPN-based system is only as strong as the weakest link.
While the VPN allows users to use an untrusted network, the VPN server does have full knowledge of the user’s activities, including the websites they visit and the content they access.
“For different company in-house VPN servers, this is usually not an issue,” Hasan said. “However, many people use commercial VPN services, many of which do log the user’s activities.”
Some of these services are even located outside the United States and therefore fall outside the legal jurisdiction of the United States.
“The anonymity of a VPN only goes so far,” he said. “The VPN server can see the IP address of the user and the content the user is accessing.”
VPNs also reduce performance due to the complex encryption protocols. As all communications need to be encrypted and decrypted while using a VPN, it reduces the connection speed. Commercial VPN services are not always free. Due to the anti-censorship nature of VPNs, some countries also outright ban VPN services.