Root Causes 80: The Pros and Cons of VPNs

Tim Callan

So, today, we want to talk about VPNs. VPNs are very close to interwoven with the world of PKI, though it’s not a PKI technology itself. It is about secure access. It does depend on PKI and if you're implementing PKI systems, there is a very good chance that you're dealing with VPNs. So, we wanted to talk I think about the strengths and weaknesses and pros and cons of that approach.

Jason Soroko

Absolutely, Tim. They've been around a long time. Virtual private networks have been an important toolset for people in IT for many, many years to be able to pass network boundaries that are unfriendly.

Tim Callan

Yeah.

Jason Soroko

So, quite often the scenario is you have an employee that's remote, that's not necessarily within the corporate network and you want that person to be able to join that network securely with the idea being that the unfriendly networks that you're attaching across you don't want to be anybody to be able to look at or alter the packets that are going between the client and the safe network that’s the destination. So that's the, you know, in an absolute nutshell, what it's for.

Tim Callan

Right.

Jason Soroko

And it was great because my goodness, you could actually work from home. You could work from a coffee shop. You could work from all kinds of places or perhaps you could also allow third parties like contractors to come in and do work as well. So, you know, when it first came out and even to this day, it's an important technology. Uh, so it absolutely has its pluses. And I think Tim, we really have to talk about - - I don't know if it's necessarily the minuses of it, more of things you - - the blind spots people have with respect to implementing virtual private networks, VPNs.

Tim Callan

Right. Yeah. I think that's a better way of putting it, which is you can easily assume, right, that you've got a VPN and you're just rock solid and everything's great and what may turn out is that there are certain decisions you need to make and if you make the wrong decisions, then maybe you're not as secure as you should be.

Jason Soroko

One of the ways I like to think about the two main issues that you really have to be aware of when you're choosing VPN, if you are choosing a virtual private network that is provisioned to you by your employer, for example, there probably means that your termination point which is that virtual private network, which is a tunnel, essentially an encrypted tunnel between you and some other computer somewhere, that other computer somewhere is the termination point and if it's terminating within the enterprise network, hey, that's pretty good. You know, that means you trust the computer that you are terminating too.

Tim Callan

Well, right. Because once upon a time, when VPNs were created, it was in the old world of the strong network perimeter. Right? You and I have talked about the degradation of that perimeter now and I think that's an important point to return to, but back in the early 2000’s, you know, I had VPN access back then and, you know, there was a high degree of confidence that where that tunnel was ending was considered, you know, was in the green zone was in the safe zone and it was sort of a way of just extending your firewall to cover more ground than it would have covered otherwise.

Jason Soroko

Absolutely. But you know, Tim, you know, in popular media right now it's amazing, you don't have to necessarily be an information worker, you might just be average person who happens to have a smartphone or, uh, a laptop you like to bring to a coffee shop or, you know, or you're a road warrior, you’re in airports, etc., hotels. You're obviously connecting to all kinds of hostile network environments. And one of the recommendations that people are being told left and right is, hey, just connect, you know, connect with a VPN and you'll be alright. Right.

Tim Callan

Yeah.

Jason Soroko

The issue with that is not all VPN providers are created equal. And another way of saying that is - - that's why I brought up the topic of the termination point first.

Tim Callan

Yeah.

Jason Soroko

So, you said it perfectly, which is if you're terminating into a known green zone that you trust, hey, life is good. The problem is that if you are getting some sketchy VPN service that you're paying 10 bucks a month for five bucks a month, who knows where you're terminating.

Tim Callan

So, I might be terminating and then my traffic might be going over the open internet to get to where it's ultimately going anyway and I haven't solved my problem?

Jason Soroko

Well, what you've solved is you've probably solved the problem of the coffee shop.

Tim Callan

Right.

Jason Soroko

Or you've solved the - - you've solved the problem of your network traffic is now encrypted and protected on the coffee shop’s network, on the hotel's network, on the airport lounge’s network.

Tim Callan

For sure. That parts covered.

Jason Soroko

Correct, but the problem is where have you terminated? Because past that point, you're not covered anymore.

Tim Callan

Right. So, you know, I know a lot of VPN usage is that kind of thing you're talking about. I'm just going to grab wi-fi wherever I get it and I don't know what if - - what if someone's doing something bad and I just want to make a tunnel to get through that part of it. Uh, and a lot of other VPN usages in hostile parts of the world, right? Parts of the world where free speech isn’t encouraged and so people get a VPN so that they can go online and read what they want to read and say what they want to say without worrying about the police. And so, those scenarios, maybe the VPN is still doing what you need for that part of it. You just shouldn't assume that it's giving you total absolute blank security.

Jason Soroko

That is it in a nutshell, Tim, which is, you know, I think the problem is a lot of people think, well, I'm now connected by VPN, I'm good.

Tim Callan

Yeah.

Jason Soroko

I no longer have to worry about my network. And that's true only if you trust the terminating point and how do you know that you can trust it? Well, like I say before, if it's an enterprise network that you've been provisioned into, fantastic. That's probably something you can trust. However, I guess what I am saying, Tim, is be careful who you purchase your third-party VPN services through because some of them are a bit sketchy.

Tim Callan

Right. And I'm not going to ask you to name names, but is there a way that I can research and feel, have a high degree of confidence that I'm using a VPN partner where I wouldn't have that worry.

Jason Soroko

Oh, man. That's such a good question. I can tell you right now that a lot of VPN services, review sites are written by VPN services.

Tim Callan

So, that might not get you there. It's sort of analogous for your VPN problem. You think, you think it's all good, but maybe in reality it’s not. Um, okay. So, I think this is good intel. You know, the one thing that I'll offer is it feels like oftentimes - - and you and I run into this a lot in the security world, a lot of times what you're doing is you're choosing between alternatives. And so, if you're just out there with your laptop hanging in the world, logging onto whatever Wi-Fi you can find and doing whatever you're doing, then there's a very good chance that you're more secure if you're using a VPN, even if you don't understand the nuances of what you're talking about, Jay. Right? It's some protection is better than none protection, none protection/no protection is often the case in the security world and it feels like that's probably the case here.

Jason Soroko

And there's also some subtleties in that as well. Like why are you using that VPN? If it's merely to just make sure that your network traffic isn't being messed with at the coffee shop that's, that's a noble cause. Right? I do think though that some people are doing, you know, some people may choose to use VPN, you know, to kind of fool people in terms of where their geographic location is for the purposes of perhaps consuming a streaming service. Right. That's those are well-known reasons why some people get VPNs.

Hey, and if you live in certain jurisdictions that have national firewalls, and again, I'm not going to name names, but you know which countries they are. VPN can be a technology perhaps that can terminate you outside of that firewall so that you can consume social media services and whatever else.

Tim Callan

Yeah, right or this is, you know, it's viewed as an important enabling technology let's say for people in certain autocratic regimes who want to be able to practice free speech, by way of example.

Jason Soroko

Yeah, sure. So, there's a lot of reasons why you use it and that's important to know because the problem is, you know, if you’re choosing a VPN provider and you're trying to hide something, that's probably a bad idea. Perhaps we could get into another podcast one day about onion servers and like people who want to hide stuff. That's not really the purpose of this podcast. It's more choosing the correct technology and understanding its limitations is what we're talking about here.

Tim Callan

Right. Yeah. It sounds like this is if I can do the real high level dumbed down version of it, this is one of those, know your tool, know what your tool does and make sure you're using it for the purposes you think you're using it for.

Jason Soroko

Yeah, because you think you're anonymous. Right. In other words, if you're hiring - - as soon as you're hiring a VPN service that claims that they don't do any logging and if they were subpoenaed there's no log about your IP address and nothing can get to you - - I would have a good chuckle at that because I don't know of any that - - if some police authority were to get ahold of the VPN service and you've done something bad that they couldn't track it back to you. You should realize, just assume this is not an anonymizing service. So, VPN is really not for that. For example, if you're using your VPN through work, it absolutely, you're not anonymous in terms of what you're doing.

Tim Callan

Oh yeah, of course.

Jason Soroko

Your workplace, you know, where you've searched, the DNS querying, all that stuff is loggable and some employers may be logging that. So, in other words, it is really just purely - - VPN is purely - - if you want to think about what its absolute strength is, is it gets you past the hostile Wi-Fi access point you're at, at the moment into some other, somebody else's computer and where you terminate.

Tim Callan

It’s a safe tunnel from one place to another place. Right? And most of the valid use cases for VPN have absolutely no need for the kind of confidentiality stuff that we were talking about a few minutes ago. You know, I have lots of work information that I send around that I wouldn't want any random stranger to read but it's not about being secretive, it's just about keeping our confidential information confidential. And that I think is probably true for most uses of a VPN. Right? There's nothing wrong with you not wanting people to know your credit card number or not wanting people to steal your logins and for almost all of what people need from VPN, that's ultimately what they're accomplishing.

Jason Soroko

Correct, Tim. So, I want to pivot now to maybe one of our final points, which is, again, not all VPNs are created equal, especially in the sense of the authentication method. So, believe it or not, there still are a lot of VPNs out there where it's just a username and password to get in. Like that's crazy, but it is what it is.

Tim Callan

Sure.

Jason Soroko

Some of them have added MFA, which is, hey, we're big proponents of that, but if you're an enterprise and especially right now with the COVID-19 remote worker situation, Tim, one of the things that we cannot emphasize enough is that certificate-based authentication with a notable VPN technology, you know, Cisco or whoever it happens to be - - if you're using a certificate issued by a private CA in your certificate authority within your enterprise for your employees, to do really good access control that's a great, great thing. Because think about this right, you no longer have the chance of there being a stolen username and password, you no longer have the issue of having to provision out MFA and have the user do that second step, you can put that certificate into a secure location, such as a Windows 10 laptop TPM, trusted platform module chip, which means that certificate cannot be stolen and there's other forum factors as well that are quite secure. But think about it, Tim, in terms of - - it's very rare when maximum security and maximum usability come together and that is a certificate-based access control for VPN. That's the right way to do it.

Tim Callan

And that's true of so many things, right? That's how come, you know, we keep coming back to this over and over and over again, because there are so many use cases where those two factors apply and we come to the same conclusion.

Jason Soroko

So, Tim, I want to promise to everybody, this is not a sales pitch, but Sectigo Web is providing a VPN service right now. For purchase. So that's, one that you can trust. The thing is though is for other people who want to be really technical, you have a really interesting - - perhaps you come from an IT background and you want to experiment, you know there's something out there called Algo VPN, or A-l-g-o VPN and I'll let anybody who is interested go ahead and search that, but that's a way of scripting a VPN service for yourself through a Cloud provider of your choice. So, essentially you would be terminating, your termination point from your smartphone or your laptop would be your Cloud service.

Tim Callan

Okay.

Jason Soroko

Yeah. And I'll tell you it's not free, right? You're obviously, the scripting service itself, the script itself, the Ansible script is free. You can download it from the people who provide it. We can talk about Dan Guido and all those guys later. Those are a great bunch of people who provided this but I've used it. I've experimented with it and it's written by very smart people who know how to set this up well. It’s a way of getting a VPN provision very quickly and easily. It's, obviously the cloud services that you're going to consume are not going to be free, but it may be good for certain use cases, and I'll tell you for people who are technically curious, try it out.

Tim Callan

All right, so that's good. I think maybe that's a good overview of the topic. Um, so VPNs, know what your tool does and what it doesn't. It absolutely is a secure tunnel from Point A to Point B. Just know that that Point A and Point B are what they are. As long as you understand that and you're using the tool correctly it's a very valuable part of your overall security portfolio. And you know, if you were interested in it check out Algo VPN. So, I think that's a great summary of the topic, Jay. ss there any final thoughts?

Jason Soroko

No, Tim, but good luck out there. And don't forget, VPN is not your only option. If you’re really trying to provision your users right now for remote working there are things like desktop as a service and surprise, surprise, private PKI certificate-based access control to those things is the right way to get there, too. Stay safe.

Tim Callan

Stay safe, everybody. Thank you. This has been Root Causes.