How secure is a VPN tunnel? Not as secure as you might think
Working from the home office, remote maintenance of servers and clients, and collaboration. Public WLAN networks and prying eyes. Information security and privacy protection. These are some of the main reasons why organisations choose to operate Virtual Private Networks (VPN). But do VPNs really offer the promised protection?
VPN technology was first used in 1996 when a Microsoft employee developed the PPTP protocol. The protocol created a more secure private connection between a user device and the Internet.
How secure is a VPN?
Many VPN providers claim to be market leaders in protecting sensitive personal data when employees connect to public networks. In some cases, the VPN client works as promised. By providing an encrypted connection on IT-managed devices, these solutions focus on protecting confidential data as well as the personal data of VPN users. Someone looking for a security breach at a public Wi-Fi hotspot would not be able to detect any internet activity. Users using public internet access without protection, on the other hand, can be detected.
But what happens if someone is working in an adjacent office room and not on a long-distance train? A VPN always assumes that internet traffic is secure. In many cases, unfortunately, this is a fallacy.
This is due to the following points:
A VPN tunnel symbolically represents exactly that: A tunnel. VPN security attempts to hide all user activity from third parties and hackers when employees or service providers are working remotely. The sole purpose of these solutions is to hide data streams and moving information from prying eyes and the possibility of eavesdropping on confidential data. Just like in a tunnel that cannot be seen from the outside. On the other hand, it is no longer possible to control and monitor what happens in this hidden tunnel. What thus remains completely outside are all the new attack vectors.
Developments such as bring your own device (BYOD), reinforce the point that office IT is no longer only provided by the IT department and preferably used on-site in the office. Nowadays, employees want and regularly use their own mobile devices at work. They rely on cloud, SaaS and web-based applications. In most cases, it is still easy to resort to unauthorised applications such as private cloud services. Ergo, this means that internal company networks can actually be accessed from everywhere and via any gateway.
The more attack surfaces are offered, the less IT departments can react appropriately and take suitable technical and organisational measures.
Security gaps with VPN and alternatives
Even the best VPN cannot cover all attack surfaces when it comes to protecting personal information. Why? Unlike zero-trust solutions that place no trust in users, traditional network models blindly trust their users. Once access is granted via VPN technology, users have full access to the network.
Figuratively speaking, this means: The network of the user who establishes the VPN connection normally automatically links this with the target network within his organisation. Conversely, this means that all potential threats lurking in the remote network now become relevant for the company network that is worth protecting.
Moreover, VPNs do not protect the corporate network when users log on locally from their "own" network. VPN tunnels usually not only rely on a far too simple one-step authentication of the user, but are also limited to pure remote access from outside. This poses a threat to corporate resources. If it is even a free VPN tunnel with ad tracking and advertising, the risk increases immeasurably.
VPN in and of itself has the right goals - more information security, more online privacy and data protection, protection of critical assets. However, there are more effective alternatives.
3 reasons to replace VPN with a PAM solution with integrated Remote Support to replace:
1. high risk due to uncontrollable security vulnerabilities
VPNs expose entire networks to danger from distributed DDoS and sniffing and spoofing attacks. This is because VPN connects two security zones that are actually separate from each other. As soon as an attacker or malware integrates into a network via an infected connected device, the entire internal corporate network can be affected.
With VISULOX , external as well as internal users have access to their own workspace - without VPN, if desired via Single Sign On (SSO) and prior Multi Factor Authentication (MFA). Access takes place at application level, which means that security zones that are deliberately separated from each other are not linked at any time.
2. difficult scaling and low user comfort with VPN connections
VPN tunnels are usually provided for a small number of remote employees. It is often said that privileged users in particular should preferably work in the company network itself. today, however, there are companies that predominantly provide remote workplaces. This may be due to external influences, such as the home office obligation as a result of the Corona pandemic, or the change in working life itself. VPN infrastructures quickly become bottlenecks here and create a critical dependency for companies. This is especially true for traditional client-server applications that require a lot of bandwidth and are not easy to scale.
VISULOX provides every user, whether from the finance department, production or IT administration, with a suitable and familiar workspace via web browser. In addition, VISULOX as a PAM solution offers basic security functions, such as multi-factor authentication, single sign-on, session recording and controlled data transfer. VISULOX thinks along and automatically scales the entire workforce through concurrent users due to a dynamic licensing model, without noticeably increasing the effort within the IT department. VISULOX can be put into operation immediately without an agent on clients or servers and without interrupting operations.
3. access to VPN is via unmanaged private terminals
This is a very high risk, as an internal IT department has no influence on the security status of personal computers as well as private mobile devices. These devices could be infected with ransomware or malware that attackers use to create a gateway into corporate networks or to spy on confidential data. Above all, the mostly unrestricted data transfer, e.g. via linked network drives, offers a considerable attack vector, which not only increases the risk of infiltrating malware, but also favours the outflow of valuable information.
VISULOX works like the well-known security check at airports and scans every file to be transferred. Without exception, every data transfer - in or out - goes through this scan. VISULOX allows you to define fixed rules and thus control the entire data transfer. The connection is made from the application to VISULOX and only then to the server and vice versa, so that the security zones are maintained at all times.