SUNY Brockport utilizes a Virtual Private Network (VPN) to provide off campus access to non-public services and applications. We have been utilizing VPN technology for many years, but there is still often confusion about what it’s for. In this article we will attempt to clarify some of the confusing aspects of this technology without diving into the technical details of how it works.
First, we need to make a distinction between private VPN and corporate VPN services. Often people receive advice to utilize a personal VPN while traveling to protect the privacy of their Internet activity. A personal VPN attempts to hide Internet traffic from the network the user is on (a hotel Wi-Fi network, for instance) by passing it through a VPN provider where it finally goes to the Internet. A personal VPN allows for some “local” privacy, but of course the user doesn’t get privacy from the VPN provider. Many VPN providers do claim to delete histories and not maintain copies of user traffic. Personal VPN usage in many cases, however, is about trying to hide Internet activity from one actor while revealing it to another. It’s a matter of who the user trusts more. Should we trust the hotel Wi-Fi provider, or the personal VPN provider more? Often, we should error on the side of our chosen provider.
Passing through a personal VPN provider and getting out to the Internet has other benefits. People can use VPNs to get around local network or regional restrictions. People can use personal VPN services to appear as if they are living in England. This allows them to watch regionally specific content on Netflix, like all the seasons of the show Doctor Who, which may not be available through that same service in the United States. Personal VPNs provide a useful service to individuals by assisting with their privacy and allowing them to bypass network and regional restrictions. Corporate VPNs have a slightly different purpose.
Many organizations utilize network appliances called firewalls, to protect the networked computing equipment installed in their buildings. The same way we use locks on doors to protect the physical equipment, a firewall protects digital equipment from unwanted or dangerous network connections and activity. Firewalls are important and powerful protections for many organizations in the world.
For some services, like a public website, we tell the firewalls to chill out a bit. We want members of the public to visit our website, so they must be able to get past a firewall. On the other hand, we don’t want everyone to access our internal services and equipment. We want to grant access to specific people for those services. We also want to monitor that access to make sure it isn’t related to stolen credentials or some other malicious activity.
This is where the corporate VPN comes in. Instead of the user appearing as if they are in England watching Doctor Who, they instead appear as if they are physically at their office location. In other words, a corporate VPN is a bypass to the firewall. This allows employees working from home to appear as if they are at work, and not have all the restrictions from the firewall.
If the firewall is so important for network security, why would we want to allow the VPN service to essentially bypass it? Without a VPN we would need to make complex firewall exceptions to allow all the individual remote connections to occur. It also wouldn’t be easy to know who all the people connecting were, since we might not authenticate them. That would be very difficult to do safely and very time-consuming. A well-run corporate VPN service can provide access to specific people much more efficiently, with much better safety. Yes, it’s a bypass to a firewall, but a much safer alternative than making lots of exceptions to how the firewall works.
Of course, a corporate VPN also encrypts Internet activity. In this case the privacy benefits are a bit clearer. We are hiding traffic from the “local” network and disclosing it to the employer through the corporate VPN service. This helps to keep work related matters private without potentially exposing them to snooping on untrusted networks. Of course, this won’t keep personal traffic private, since the VPN service is the employer, and the employer has access to that data.
If we have done our job, VPN technology should be a little bit less confusing at this point. Now we should go a bit further to compare when to use a personal VPN or a corporate VPN.
When the personal VPN provider is trusted, they can help provide personal privacy and allow for bypassing the rules and restrictions of companies or governments. Personal VPNs can be excellent for personal use. Corporate VPNs, on the other hand, are more about protecting work related privacy and allowing secure access to work resources. Using a personal VPN to protect work information or obtain access to work resources isn’t ideal, and neither is using a corporate VPN for personal privacy. Each one has its own purpose.
And finally, the challenge of personal VPNs to the corporate security model. A well-known use case for VPNs is to bypass network and regional restrictions. Just like a corporate VPN can allow people to bypass the firewall coming in, a personal VPN can allow people to bypass the firewall going out. This can allow for malicious activity to occur on a corporate network which would have been blocked for safety by the firewall.
Thank you very much for your time in this lengthy exploration of virtual private networks. For further exploration please find references below. You can also send questions related to this article to infosec@brockport.edu.
References
What Is a VPN? - Virtual Private Network - Cisco
What Is a Business VPN? Understand Its Uses and Limitations - Palo Alto Networks
Need to report an IT security event or incident?
To report, please submit a ticket here: Report an IT Security Incident, or call the IT Service Desk at (585) 395-5151 Option 1.