BLOG

Virtual Private Networks (VPNs) have become increasingly more popular over the past several years. Many organizations are now offering services that provide users with a variety of new capabilities.

In the original use case, a virtual private network establishes a secure connection between two locations on the internet. All of the data sent between those two points passes through an encrypted “tunnel,” providing a high degree of security.

VPNs used to provide secure remote access to resources located on another network. This original use for VPNs enabled employees to connect to remote business networks while operating out of a different office location or traveling. And this continues to be a valuable service today as more and more business activity becomes mobile.

But the newer VPN use case that is taking the world by storm provides a completely different service. Learn how to teach students what to look for when it comes to evaluating VPNs.

How Do VPNs Work Now?

The newer methodology utilizes a VPN connection to mask an IP address or route traffic through a different location on the internet. This method is supposed to create more privacy for the user or allow users to pretend they are in a different location.

This new use case is rapidly growing as people have found a new use for VPNs that go beyond business scenarios. It has expanded the use of VPN technology beyond business allowing everyday users to take advantage of the security and obfuscation a VPN can provide. But is it as effective and private as so many organizations are touting?

Imagine this scenario: a user in Germany wants to gain access to a video streaming site in the United States, but that site only allows access from U.S. based subscribers. So, the user establishes a connection from Germany to the U.S. over a VPN connection, and then makes a secondary connection to the streaming service. This workaround makes the source location appear to be in the U.S. when the true source location is actually in Germany.

This is a common scenario with a lot of U.S. travelers wanting to watch their streaming platforms while traveling in other nations. From a technical standpoint, this scenario works well, and as long as the necessary bandwidth is available, users can have a positive experience. Though, the policies of the providers may cause a user to lose access if these workarounds are discovered.

Now, imagine this scenario: an ISP announces they are logging all activity of every user and analyzing that data to provide targeted advertising. Users do not like this plan, but they are limited by availability, so they turn to a VPN service to help mask their activity.

If one is concerned about their ISP tracking their internet activity, they can pay for a VPN service and connect to that service every time they use the internet or use it often enough to lessen the amount of data the ISP can collect.

Of course, the ISP can see they are using a VPN, but it cannot see what is happening inside of the tunnel or connections the user is establishing on the other side of the tunnel.

To be fair, all ISPs log user activity for a variety of reasons and the concern that the collected data could potentially be used for nefarious purposes is somewhat valid, especially if the user has a measure of fame. The problem is that the purported privacy provided is not as private as one may expect.

How Private are VPNs?

Anyone studying cybersecurity should recognize that a glaring problem with this configuration, and the piece none of the VPN providers talk about, is that there is nothing stopping the VPN provider from logging all of a user’s data.

They essentially become the gateway a user’s traffic crosses and they have the ability to monitor, filter, block, or take any other action an ISP may otherwise take. They also know the identity of the users because a fee is paid every month via a credit card transaction.

Using a VPN does not actually create stronger privacy. All that is really happening in this transaction is the potential monitoring is being moved from one organization to another.

If we go back a few years, the creation of The Onion Router (TOR) Network used a similar methodology of bouncing connections through multiple locations in order to mask the true origin of a connection.

This works a little differently because the connections are passed through several random computer locations that participate in the network eliminating the possibility that a single node will be able to monitor all traffic from a particular user.

The likelihood of traffic being routed through the same locations is pretty slim, but the biggest problem with TOR is that it is incredibly slow. It served a purpose for a time but has fallen out of popularity for a variety of reasons, speed being a major factor.

Many VPN service providers state that they do not log data. But, with all the providers available on the internet, there is no way to independently verify if logging is taking place. If privacy is really a concern, the user needs to take additional action to make sure privacy is actually being achieved.

What Should I Teach My Cybersecurity Students When It Comes to VPNs and Privacy?

This is where cybersecurity students need to think outside the box. Cybersecurity professionals need to be able to provide their clients with specific actions that can keep their data private in these situations.

Full anonymity on the internet often requires multiple steps, especially when third party services are being used. This is where a more creative solution becomes necessary.

A three-step process can make these VPN connections more effective.

1. First, create a secondary email address that is only used for logging into the VPN service.
2. Second, do not use your real name as the username with the VPN service.
3. Third, pay for the service using a prepaid credit card--if they allow it.

These steps effectively remove an individual’s identity from the data. An additional step could be to use multiple VPN services at different times, or even route from one to the other in a similar fashion to TOR. These are the types of critical thinking exercises cyber security professors should provide to their students.

These may seem like extreme steps, but the key thing to understand is that security is often an inconvenient necessity. If we really care about security, we need to take the time to think through all the variables involved in the process.

We cannot simply install a piece of hardware and assume everything is secure. We must be willing to take the extra steps of thinking about how a hacker may try to gain access, the type of data providers can access, and the methods we can put in place to ensure real security and real privacy while operating online.

Popular practices, such as using a VPN for these purposes, should always be evaluated to determine if there are any unspoken truths behind the service being offered.

Network Security, Firewalls, and VPNs, Third Edition

Network Security, Firewalls, and VPNs, Third Edition provides a unique, in-depth look at the major business challenges and threats that are introduced when an organization’s network is connected to the public Internet.

Request Your Digital Review Copy

• Filling the Cybersecurity Talent Shortage: An Educator’s Perspective
• The Importance of Teaching Public and Private Cloud Infrastructures
• Arming Students for the Digital Age: Educators’ Role in Meeting Cybersecurity Demand

Dr. Gene Lloyd is an adjunct professor at Liberty University. He teaches computer science and cyber security programs for undergraduate and graduate students with a focus on applied cryptography, digital forensics, ethics, legal issues and policies, web security, ethical hacking, security operations, risk management, network security, access control systems, and advanced topics in computer security.