SHARE

When it comes to virtual private networks, there are some common misconceptions about VPN protocols, how VPNs work, how they should be set up, and more. Today, we’re debunking 10 common myths about VPNs and the security they provide.

 

When IT professionals talk about secure data transfers, the discussion invariably turns to virtual private networks (VPN). While there are various ways to send data securely from one network to another, the VPN is often the default approach. However, a VPN alone does not ensure security. Here are 10 myths that we will bust about VPNs that will help you better understand how to use them more effectively and efficiently.

 

Myth 1: All You Need Is A VPN To Ensure Security

A VPN is a private connection that traverses the public Internet. While it is difficult to the average user to penetrate such a link, attackers can use a variety of tools that they can install on Internet-connected routers that can read the data inside a VPN. While such actions could trigger a security alert that the connection was compromised, the alert happens after the damage is done. For that reason, all data sent over the Internet, be it over a VPN or through other methods, should be encrypted if the data is sensitive or confidential.

Myth 2: If I switch To IPv6, My VPNs Will Be Safer

According to research published from the proceedings of the Privacy Enhancing Technologies Symposium earlier this year in Philadelphia, most VPN tunneling infrastructure is outdated and vulnerable to brute-force attacks, even if you use IPv6. DNS hijacking also is vulnerable in commercial VPN clients, the report states. The way to be safe from DNS hijacking is making sure your DNS server is correctly configured and managed. The research also showed that the Point-to-Pint Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) tunnels were unaffected by some of the hijacking vulnerabilities related to VPNs.

Myth 3: All VPN Protocols Are Alike

As noted above, there are some attacks to which PPTP is immune, but that doesn’t necessarily mean it is always the best protocol choice. IPSec encryption encapsulates data twice, making it less efficient but more secure than SSL-based approaches. OpenVPN can be configured to use any port, including TCP port 443. This port is often used for standard SSL (shttp://) data traffic, while L2TP must use UDP port 500.

Myth 4: If I’m Only Using IPv4, It Doesn’t Matter If IPv6 Is Still Enabled On My Router

This myth assumes that attackers are unable to use IPv6 for attacks if only IPv4 is used, but that assumption is invalid. If you are not using IPv6 on your network, simply disable it. If you have a firewall that has IPv6 turned on by default but no IPv6 devices on your network, you should configure it in the firewall to reject all IPv6 traffic.

Myth 5: It’s OK To Leave Your VPN Open Even When You Are Not Using It

Generally speaking, firewalls today will close a VPN after a given amount of time if it is not active. This is simply a best practice for system optimization. While the open VPN itself doesn’t create a real security in and of itself, it will use system and memory resources that could be better spent on other system activities.

Myth 6: If You Are Using A Certificate From A Trusted CA, Everything Is Secure

This myth assumes that all trusted certificates are created equal. Unfortunately, some certificates are created using spoofed Certificate Authorities (CAs) and are not secure at all. Electronic Frontier Foundation (EFF) staff technologist Peter Eckersley published an in-depth analysis a couple years back demonstrating that Iranian hackers acquired fraudulent SSL certificates for Google, Yahoo, Mozilla, and others by spoofing Comodo. Bottom line: Secure Socket Layer (SSL) technology and early versions of Transport Layer Security (TLS) are not secure. Use the latest version of TLS for the best protection.

Myth 7: VPNs Make You Anonymous

There are a lot of advantages to using VPN, but anonymity is not one of them. A VPN is designed to provide data security, not user anonymity. A skilled digital forensics technician can identify a user who tries to employ a VPN for nefarious purposes because the data still is being transmitted over the public Internet. Also, you cannot ensure anonymity just by using a public VPN provider. Logging is an important part of network security and maintenance, so chances are your data transfers from a public VPN provider are dutifully logged.

Myth 8: VPNs Make You Safe From Internet-Borne Attacks

This might seem counterintuitive to some, but just because you employ a VPN, that does not mean you are immune from malware, viruses and other online threats. A VPN is not a firewall, so if you use a VPN to download infected content, your system will end up infected. That said, it is still a good idea to have a firewall that is properly configured on your side and defensive tools such as antivirus, antimalware, intrusion detection systems, intrusion prevention systems, defenses against advanced persistent threats and other standard defensive tools.

Myth 9: I Really Don’t Need To Use A VPN

VPNs are hard to use so I really don’t need one. This is a common excuse amongst those who also believe that no one would ever want to breach their network or that their network doesn’t have any data anyone else would ever want. The bottom line is that even very small companies and individuals get breached — it’s not just the big names. And if you do online banking or shopping, chances are you might be sending confidential data over insecure connections. Today’s VPNs are easy to configure, especially if you use a service provider that specializes in VPNs, of which there are many. In fact, Windows 10 has a built-in configuration screen for adding a VPN, not unlike the screen one uses to add an email account to Microsoft Outlook. Just fill in a few options, save, and you have a fully configured VPN.

Myth 10: A VPN Is A VPN

Actually, there are a variety of VPNs. Site-to-site VPNs can be set up as static route-based VPNs, intranet-based VPNs, extranet-based VPNs, or other types. One vendor’s VPN is not necessarily the same as another, so if you plan to compare VPNs, know in advance some questions to ask. These include bit levels of encryption (use no lower than 128-bit encryption and preferably higher), types of encryption, which security policies and rules will you require, will you limit the path of the VPN based on political boundaries, and any other variables. Once you have your priority list of must-have features, it becomes much easier to compare VPN vendors on paper. However, it is important that you also talk to the potential provider and perhaps its technical support department before making a selection. Support is essential for a task that is so ingrained into data security, so selecting the vendor whose own priorities match yours is very important.

VPNs are a terrific tool for enhancing security, but remember that one size does not fit all. You need to be sure to configure your VPN and supporting security devices, such as firewalls, to ensure the greatest amount of security without impeding your ability to get work accomplished.

By Stephen Lawton

When it comes to virtual private networks, there are some common misconceptions about VPN protocols, how VPNs work, how they should be set up, and more. Today, we’re debunking 10 common myths about VPNs and the security they provide.

 

When IT professionals talk about secure data transfers, the discussion invariably turns to virtual private networks (VPN). While there are various ways to send data securely from one network to another, the VPN is often the default approach. However, a VPN alone does not ensure security. Here are 10 myths that we will bust about VPNs that will help you better understand how to use them more effectively and efficiently.

 

Myth 1: All You Need Is A VPN To Ensure Security

A VPN is a private connection that traverses the public Internet. While it is difficult to the average user to penetrate such a link, attackers can use a variety of tools that they can install on Internet-connected routers that can read the data inside a VPN. While such actions could trigger a security alert that the connection was compromised, the alert happens after the damage is done. For that reason, all data sent over the Internet, be it over a VPN or through other methods, should be encrypted if the data is sensitive or confidential.

Myth 2: If I switch To IPv6, My VPNs Will Be Safer

According to research published from the proceedings of the Privacy Enhancing Technologies Symposium earlier this year in Philadelphia, most VPN tunneling infrastructure is outdated and vulnerable to brute-force attacks, even if you use IPv6. DNS hijacking also is vulnerable in commercial VPN clients, the report states. The way to be safe from DNS hijacking is making sure your DNS server is correctly configured and managed. The research also showed that the Point-to-Pint Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) tunnels were unaffected by some of the hijacking vulnerabilities related to VPNs.

Myth 3: All VPN Protocols Are Alike

As noted above, there are some attacks to which PPTP is immune, but that doesn’t necessarily mean it is always the best protocol choice. IPSec encryption encapsulates data twice, making it less efficient but more secure than SSL-based approaches. OpenVPN can be configured to use any port, including TCP port 443. This port is often used for standard SSL (shttp://) data traffic, while L2TP must use UDP port 500.

Myth 4: If I’m Only Using IPv4, It Doesn’t Matter If IPv6 Is Still Enabled On My Router

This myth assumes that attackers are unable to use IPv6 for attacks if only IPv4 is used, but that assumption is invalid. If you are not using IPv6 on your network, simply disable it. If you have a firewall that has IPv6 turned on by default but no IPv6 devices on your network, you should configure it in the firewall to reject all IPv6 traffic.

Myth 5: It’s OK To Leave Your VPN Open Even When You Are Not Using It

Generally speaking, firewalls today will close a VPN after a given amount of time if it is not active. This is simply a best practice for system optimization. While the open VPN itself doesn’t create a real security in and of itself, it will use system and memory resources that could be better spent on other system activities.

Myth 6: If You Are Using A Certificate From A Trusted CA, Everything Is Secure

This myth assumes that all trusted certificates are created equal. Unfortunately, some certificates are created using spoofed Certificate Authorities (CAs) and are not secure at all. Electronic Frontier Foundation (EFF) staff technologist Peter Eckersley published an in-depth analysis a couple years back demonstrating that Iranian hackers acquired fraudulent SSL certificates for Google, Yahoo, Mozilla, and others by spoofing Comodo. Bottom line: Secure Socket Layer (SSL) technology and early versions of Transport Layer Security (TLS) are not secure. Use the latest version of TLS for the best protection.

Myth 7: VPNs Make You Anonymous

There are a lot of advantages to using VPN, but anonymity is not one of them. A VPN is designed to provide data security, not user anonymity. A skilled digital forensics technician can identify a user who tries to employ a VPN for nefarious purposes because the data still is being transmitted over the public Internet. Also, you cannot ensure anonymity just by using a public VPN provider. Logging is an important part of network security and maintenance, so chances are your data transfers from a public VPN provider are dutifully logged.

Myth 8: VPNs Make You Safe From Internet-Borne Attacks

This might seem counterintuitive to some, but just because you employ a VPN, that does not mean you are immune from malware, viruses and other online threats. A VPN is not a firewall, so if you use a VPN to download infected content, your system will end up infected. That said, it is still a good idea to have a firewall that is properly configured on your side and defensive tools such as antivirus, antimalware, intrusion detection systems, intrusion prevention systems, defenses against advanced persistent threats and other standard defensive tools.

Myth 9: I Really Don’t Need To Use A VPN

VPNs are hard to use so I really don’t need one. This is a common excuse amongst those who also believe that no one would ever want to breach their network or that their network doesn’t have any data anyone else would ever want. The bottom line is that even very small companies and individuals get breached — it’s not just the big names. And if you do online banking or shopping, chances are you might be sending confidential data over insecure connections. Today’s VPNs are easy to configure, especially if you use a service provider that specializes in VPNs, of which there are many. In fact, Windows 10 has a built-in configuration screen for adding a VPN, not unlike the screen one uses to add an email account to Microsoft Outlook. Just fill in a few options, save, and you have a fully configured VPN.

Myth 10: A VPN Is A VPN

Actually, there are a variety of VPNs. Site-to-site VPNs can be set up as static route-based VPNs, intranet-based VPNs, extranet-based VPNs, or other types. One vendor’s VPN is not necessarily the same as another, so if you plan to compare VPNs, know in advance some questions to ask. These include bit levels of encryption (use no lower than 128-bit encryption and preferably higher), types of encryption, which security policies and rules will you require, will you limit the path of the VPN based on political boundaries, and any other variables. Once you have your priority list of must-have features, it becomes much easier to compare VPN vendors on paper. However, it is important that you also talk to the potential provider and perhaps its technical support department before making a selection. Support is essential for a task that is so ingrained into data security, so selecting the vendor whose own priorities match yours is very important.

VPNs are a terrific tool for enhancing security, but remember that one size does not fit all. You need to be sure to configure your VPN and supporting security devices, such as firewalls, to ensure the greatest amount of security without impeding your ability to get work accomplished.

LEAVE A REPLY