VPN and visibility: the paradox of secure networking
By John Hallett
Published on: 02.11.2020
Virtual private networks (VPNs) have been around for a long time, probably because they play a niche role for both end users and companies. They allow end users to share files with BitTorrent, watch content that would otherwise be prohibited in their geographical area or simply keep their online activities private from prying eyes. Whereas, for companies, they help to connect and authorize employees securely and to provide required materials to individual employees who are out of office and need access to company resources.
A simple and straightforward technology, VPNs encrypt data at the source and decrypt it at the destination. Between these two points, the data is scrambled and tunneled, and no eavesdropping activity on that link will help reveal the content of the packets being transported. VPNs are particularly important where data is transported across non-secure links such as ISP and open WiFi networks.
VPNs are essential tools to deliver identity protection. Deploying a VPN server with a VPN client on the user’s endpoint device not only ensures data security between these two points but also protects the identity of the user from the rest of the network. The VPN server and its IP and location become the internet-facing representative of the actual user, enabling access to any service in the world without revealing the user’s true identity. This not only masks the user’s identity but also keeps the endpoint devices from being targeted by internet-based cyberattacks.
In recent years, new and varied use cases have developed around VPNs. With the emergence of new concepts in network architecture, such as the zero trust network, VPNs were seen as another tool that can be deployed within the company to control access to company-internal resources. As a security concept, the zero trust network removes the demarcation between internal and external users by providing the same access control measures to everyone. This demarcation is introduced by the secure access service edge (SASE), a new corporate network architecture that extends the corporate network perimeter to new ‘branch’ networks covering mobile workers, remote workers and IoT endpoints.
VPNs have two major roles to play in SASE: firstly, to transport traffic from various remote endpoints securely onto the SASE network, and secondly, to enable access control for all users on the corporate network. In the latter case, internal and external users log onto specified VPNs which allow companies to delegate different levels of authority and segment users into different user groups with tiered access to network resources, including private subnets.
Although VPNs play a key role in secure connectivity for individuals and companies, not all VPNs are welcome. For companies, third-party VPN traffic means an activity on the network that is invisible to the network administrators. Why does third-party VPN traffic enter corporate networks? Very simple: Users on corporate networks can always purchase private VPN services from VPN vendors and use these VPNs to access content that they would not want their employers to know about. Some of this traffic may be part of unwanted office activity, such as cloud gaming or video streaming, which use massive amounts of bandwidth on networks, interfering with the performance of corporate applications and consuming precious network resources. However, it may also be unauthorized or even illegal activity, such as streaming geo-blocked content. The user may also simply use VPN settings to hide their identity from browsers and search engines.
For whatever reason it is used, third-party VPN traffic poses increased security risks to company networks, as encrypted traffic can easily pass through the corporate IT firewalls. Fortunately, companies are able to actively identify and filter this kind of traffic by means of technologies such as deep packet inspection (DPI). Our DPI engine R&S®PACE 2 identifies and classifies encrypted traffic in real time, using metadata extraction along with heuristics, statistical analysis and more advanced techniques leveraging machine learning to identify protocols, applications and application attributes such as video attachments. These methods enable R&S®PACE 2 to classify applications and protocols reliably despite encryption and obfuscation, detecting underlying applications in QUIC, IETF QUIC or TLS-encrypted traffic. R&S®PACE 2 is able to identify most VPN providers and thus unauthorized VPNs in real time and block them if necessary. Additionally, the analytics provided by R&S®PACE 2 enable network administrators to assess the impact of VPN traffic on network performance and anticipate possible abuse of network resources.
Companies can leverage technologies such as DPI not only within their local area networks (LAN) and wide area networks (WANs) but also at the network edge. DPI acts as a threat detection tool, identifying malware and other possible threats finding their way into corporate network gateways like SASE or SD-WANs. Equipped with an extensive library of the latest traffic signatures, DPI is able to detect cyber threats hidden in any encrypted traffic. This is particularly important in today’s internet landscape. A study1 by A10 showed that 41 % of cyberattacks use encryption to evade detection. The ability to catch the culprits in real time is more important than ever, as traffic at the network edge escalates by the day with many employees working remotely. A compromised device or identity theft, which can happen easily on public networks, can be used to launch a series of malware, ransomware and other attacks on the corporate network from remote locations.
In addition, the company’s own VPN server, which stays exposed on public networks, is susceptible to DDoS attacks that can impact speed and latency or bring down the service altogether. DPI is able to identify DDoS attack patterns and block traffic from the attack source, especially in attacks that bypass the volume thresholds. This is particularly important for VPNs deployed in a zero trust architectures where attacked VPN servers not only compromise connectivity at the edge but also company-wide connectivity. Under a centralized threat management system, DPI is able to analyze and provide traffic intelligence not only on DDoS, but also on other attack patterns on the network, securing not just a single VPN server, but all VPNs used by the company.
In the wake of the pandemic, VPNs have become the simplest way to connect employees and assets in dispersed locations securely. While securing a fast-growing number of VPNs inadvertently increases the workload of network administrators and the security risks to companies, real-time traffic intelligence from DPI greatly enhances traffic visibility and helps identify anomalies in patterns of encrypted traffic and take action in real time. When it comes to VPNs, DPI kills two birds with one stone: It mitigates attacks and threats to corporate VPNs and protects company networks from cyber threats hiding in third-party and rogue VPNs.