After explaining what VPNs are, we continue our demystifying crusade by discussing what they bring to your security. Far from commercial promises, they are still very practical.
The other day, I was chatting with another dad coming out of school and in conversation, he asked me a question that I am actually asked very (too?) often:
You work in security, is a VPN really useful?
A dad after school
Like many others, he had been confronted with these big advertising campaigns from paid VPN providers but in the face of which he had (fortunately) remained dubious.
This article is sort of a continuation of the previous one, What is a VPN? which explained, in general terms, what these VPNs are...
To summarize. It is when two programs on remote machines simulate network cards and exchange data via a secure channel. The two machines then consider themselves to be directly connected to each other. This is called a Virtual Private Network (hence the acronym).
Now that we agree on what a VPN is, and because you can imagine that we don't put this kind of infrastructure in place just because we can do it, we will see today the problems they solve.
It's used to share private resources, hide your public IP address and, if the bad wolf doesn't have much money, hide you.
Share private resources
When we host services, we sometimes need to make them accessible from the Internet while wanting to restrict this access. This is the case with many companies that have internal servers on one side (i.e. messaging and file sharing) and employees roaming or teleworking on the other.
This is also the case for some multiplayer video games that allow you to host a server when you want to play but your friends cannot come to your house.
We could of course make these services publicly available. A redirect rule on your internet access box (or on your firewall) and you're done. But that poses a lot of risks for the security of your network ...
- Some services do not have built-in or reliable access control.
- Users may use credentials that are so simple that a bad guy could use.
- Even if vendors assure you that they do their best to keep their software secure, you are not immune from a vulnerability (or backdoor) being discovered and ultimately exploited...
- Some software are sometimes very old, no longer maintained, but remains irreplaceable for your company...
By leaving a service accessible, we take the risk that a bad guy connects to it, accesses confidential or private things or even exploits a vulnerability that gives him wider access to your entire network.
The solution then comes from VPNs. We install a VPN server program in the company (or at the one that hosts the game) then VPN clients programs at all those who need access. Once these programs are connected (actually clients to the server), you can think of all these machines as if they were physically in the premises (or home). A kind of Virtual LAN.
Example from the arsouyes. Our firewall contains a VPN server to which we can establish a connection when we are not at home and thus access our services as if we were there. This allows us, among other things, to make international calls via our landline.
We can of course go further and rather than connecting clients individually, use routers so that they interconnect their respective networks with each other via VPNs (we then speak of site to site VPN). The users of each network may believe that they are neighbors, the routers taking care of passing the data between them via a secure channel. For them, it's invisible.
Hide your IP address
When establishing a connection to the Internet, you and your correspondent each use the other's public IP address. For you, this address corresponds to the one that your ISP assigned to you (or that of your employer if you are in the office, you get the idea).
For a whole bunch of very legitimate reasons that are up to you, you might want your connections to use a different address than yours. If you really can't see, here are two examples:
- We are in the middle of the World Cup, the match you want to watch is not broadcast in your country and the channels of neighboring countries apply restrictions by geolocation.
- You are an auditor, pentester or bug hunter and the site you are auditing is protected by a firewall which bans IP addresses as soon as it sees them attempting an attack.
By changing your IP address, you could then bypass these restrictions and bans.
The solution may come from VPNs. This time, rather than sharing an internal resource, we are going to share the internet connection of the VPN server.
When you establish a connection to a public site, rather than sending data directly to its network card, your system route through the VPN. At the other end of the journey, the VPN server will send the data out through its internet connections, masking your IP address with its own so that the responses reach it (and forward them to you through the VPN in the opposite direction).
In the idea, it's a bit like plugging a cable into your neighbor's house. Except that the magic of VPNs allows you to do it virtually (therefore without additional cables) and with any provider who would agree to share their connection with you (for a fee of course).
For the sites consulted, your connections and your activities will be associated with the IP addresses of the internet connections of your VPN provider. To come back to our two examples...
- You were blocked by a geographic restriction… If the supplier has access to an authorized country, you can bypass the restrictions applied to you and finally see your favorite teams.
- Your IP was banned and you could no longer search for vulnerabilities... If the provider has multiple accesses, you will switch from one to the other when attack are detected by the firewall.
But even if it works, there are a few small limitations to keep in mind:
- Services and firewalls can sometimes know that the IP they see is that of a VPN and could apply specific treatment, you are not completely invisible.
- The VPN introduces a detour in the network which induces a latence. Each exchange of data with services thus takes more time (for a gamer, this will increase his ping).
- The network speed is influenced by each network link borrowed and limited by the one with the smallest capacity (the basic one or the one that remains because many people also use it).
- VPNs add headers to data which reduces usable throughput. Your data is in a sort of envelope (intended for the website), which the VPN inserts in another envelope (intended for the VPN server), each one adds weight and therefore reduces the amount of data you can send without changing postal rate.
Anonymity (or not)
Hiding your public IP address is indeed one of the steps you should take to aim for online anonymity, but its effectiveness will depend a lot on the means of the villain you want to hide from.
If you provide personal data to an application or service, needless to say that for that service you are no longer anonymous 😉.
If your concerns are about profiling or tracking done by websites, it will be pointless because they are in fact using your browser to do so (i.e. by placing cookies). For them, your IP address is just an annex datum which of course completes your profile but which they can do without.
If your concerns relate to the information collected by the GAFAM (and cie), remember that their collection is also mainly done through their software that you use (e.g. Android and Chrome for Google, Windows, Office, IE and Edge for Microsoft). Your IP address is just a drop in the collection for them, so changing it won't have much of an effect.
Applications, GAFAM and cie do not need to know who you really are via your IP address and will be happy to assign you an anonymized number to which to link your activity to, among other things, determine your areas of interest ( and offer you
fake news personalized content). Changing their IP therefore does not hinder them in their data collection and its use.
And if your concerns are with spy or state police services, ask yourself how trustworthy you can place in your VPN provider...
- If law enforcement gains access to servers, even though the vendors promised you they weren't keeping any records, is that really the case?
- If I worked for the government agencies, it's been a long time since I would have set up my own VPN service under a false identity and, with much publicity, I would have made sure that everyone was using it. No more need for investigation and search, the servers are at home...
The only time a VPN provider would allow you to be anonymous is with a bad guy who could only see an IP address linked to some activity (without being able to infer or correlate anything further).
If you want more resilient anonymity, you're going to have to put in more effort. Not only will your VPN have to be designed, tested and validated for this specific use, but you will also have to use software (and systems) in the same vein. Without forgetting to hold your tongue because what you do and say is as important as the tools to do it.
For those following Erin's adventures, as you might expect, this is the type of VPN she uses to get out of the academy's monitored network. But will it be enough… Wait and see.
And after ?
In terms of computer security, VPNs are very useful since they allow users on the Internet to establish a virtual network connection between them and thus, share private resources without making them publicly accessible.
Incidentally, they also allow you to replace your public IP address with that of the VPN provider. Useful to bypass restrictions on IP addresses (geolocation and ban). But when it comes to anonymity, except against a bad guy who only has access to your address, they are useless.