Every network connection, every device, every user—well-meaning or not—exposes a network to risk. But you can’t do business in an unconnected silo. Online commerce drives the velocity of business from front-end to back-end. Types of devices using network access have proliferated.
This has made businesses more responsive, more agile—and more vulnerable. According to available data, more than 4,600 common IT vulnerabilities were discovered in 2010. In 2023, that number reached more than 29,000. You can only secure the traffic that goes on within your walls. Enter the Virtual Private Network (VPN): Non-physical walls to insulate that traffic.
Here are some tips for both users and network administrators to secure your network with a VPN.
Table of Contents
How VPN Works
A virtual private network, or VPN, “provides a secure communication mechanism for data and control information between computers or networks.” VPNs encrypt traffic among devices using the Internet Key Exchange (IKE) protocol over a network-layer security service called Internet Protocol Security, or IPSec.
The network layer is a key layer of the Open Systems International (OSI) reference model defined by the International Organization for Standardization (ISO). There are seven layers in the model. The top four levels are host layers—they deal with data in the context of applications and make it available to other applications across the network.
The network layer is at the top of the media layers. It controls structure, addressing, and routing across disparate network nodes. Beneath the network layer are layers that control data transmission at frame (data link layer–transmitting data among physically connected machines) and bit (physical layer) levels. The network layer is the guardian between data and transport.
A VPN masks traffic and connections. It does not scan for malware. It does not block phishing scams, hacking attempts, viruses, or malware. A VPN can establish a perimeter. Within that perimeter, we can control those threats. But a VPN doesn’t do it alone. It requires software protection and, probably most importantly, user education about best practices.
Kill Phishing
This may be the easiest and hardest user behavior to control. Employees must understand that any email that looks like it’s a scam, is a scam. It’s terrible when users let scam artists get a foothold in their system; if that foothold is in the business, it could kill it.
While effective filters can minimize the impact on corporate devices and e-mail accounts, the personal devices that have become so prevalent for employees are easy entry points for a phisher—if employees don’t recognize the obvious signs.
Care & Control
There are simply too many personal device apps that are potential vectors for network access and disruption. While the apps on a personal device are a threat, a much bigger threat are conveniences offered by, for example, Google, which offers to “manage” passwords. If someone who is a threat gets hold of an end-user device, access to the network security is a cinch.
Users must be educated in secure password protocols. Do not store business network credentials on a device you aren’t sure you won’t lose. And since you can’t be sure, you won’t lose one.
On the bright side, biometric security features based on facial or fingerprint recognition have become more commonplace. A user can forget a password, but not a fingerprint. However, the Identity Management Institute notes that biometric systems are vulnerable to false positives and false negatives. And biometric information has to be stored somewhere; a hacker with access to that data has the keys to the castle.
Log Out
A logged-in personal device is an attack vector. Log out and put up with the annoyance of a suitable password. (Note that this post from Boston University suggests using a password manager, which gives anyone who can log in to the phone access to all the connected apps.) While on the topic of personal devices, avoid using one on your business network that has not been cleared and secured by your IT security staff.
Admin Best Practices
If VPNs are a virtual extension of network walls, administrators are charged with defending against network threats from both inside those walls and outside. A well-trained user community would be the best defense—if it weren’t for the fact that they’re human. And remember, a VPN can only protect traffic and connections within the network.
Use Standards-Based Connections
According to the National Security Agency and the Cybersecurity and Infrastructure Security Agency, standards-based connections are generally safer than custom-coded solutions. IKE/IPSec systems are generally more secure than custom-coded Secure Socket Layer/Transport Layer Security (SSL/TLS) VPNs, which work below the guardian Network Layer.
Use the Best Encryption
VPN traffic is encrypted and decrypted, obscuring both data and source. However, all encryption is not equal, even among the open-source Advanced Encryption Standards (AES) created by NIST in the 1990s. There are 128-bit, 196-bit, and 256-bit versions of AES.
You might guess that 256-bit encryption keys would be the most secure, and you’d be right. AES uses 14 rounds of encryption, each key shifting, transposing, or substituting 256-bit data blocks, making it more or less uncrackable. AES is also symmetrical: the same key is used to encrypt and decrypt the packets, making it faster than asymmetric encryption.
Know Your Enemy
This is a catch-all of best practices that comes back to the unfortunate fact that your users are your biggest vulnerability. Some ways you can mitigate that vulnerability include:
Education
Users who don’t know they’re endangering the corporate network will. Education of the user base has the best security ROI. If users who do know they’re endangering the network continue to do so, that’s another issue. It may have HR or physical security implications. In any event …
Secure Access to the Network
If staff don’t need mobile access to the VPN, don’t allow it. Control network access according to IP address. Vet devices to be used on the network. Push back on devices that can install potentially insecure applications, even if it’s a VP’s laptop. Block unnecessary access to social media applications through the network.
Push Security Features
VPNs secure data and connections, and provide a protected perimeter. For other security threats—those that are wittingly or unwittingly brought within the perimeter—other solutions are necessary. Push them to user devices where possible and update them regularly. Monitor sites that report zero-day exploits.
FAQs
Do VPNs Actually Improve Security?
Strong encryption, which is the heart of the VPN, secures data and identity in transit (and in the case of 256-bit AES, is for all intents and purposes, unexploitable). It doesn’t protect against end-point exploits or lack of user sophistication. Other solutions must be used to complement VPNs to secure the network.
Is There Something More Secure Than a VPN?
Many tout Tor as an alternative to a VPN. It’s an open-source product that obscures user identity by routing traffic through a network of volunteer servers. It’s free but can be slow and unreliable. A software-defined perimeter (SDP) is the manifestation of zero-trust principles in the form of an overlay network that masks system resources. These are particularly useful to protect against denial-of-service and other network-based attacks.
Almost every website now runs Hypertext Transfer Protocol Secure (HTTPS), which is subject to the limitations of its SSL/TLS encryption. Virtual desktop infrastructure (VDI) works well for small and scalable operations.
What Security Challenges Do VPNs Solve?
VPNs control access and provide identity management. They can obscure user activity from the Internet at large, offering some protection to password and credential information. With compatible and complementary security management software to protect against intrusion and insulate against exploits, they form the cornerstone of a secure access policy.
Bottom Line
A virtual private network is vital to secure any business network users or customers have access to. Its identity and access management tools complement the insufficiencies in HTTPS. It is a network-layer gateway that insulates applications and data from the underlying transport mechanism.
However, it can’t protect a network against the huge number of application-level exploits without being bolstered by robust anti-malware and anti-intrusion software, as well as a well-educated network workforce.
