What is a Virtual Private Network (VPN)? VPN Security Explained

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A VPN provides a secure channel for users to send and retrieve sensitive data using public infrastructure – the Internet. This avoids the cost of leasing dedicated secure lines between branch offices and allows employees the flexibility to work anywhere with an Internet connection. They are also valuable for communicating with suppliers and customers in your extranet.

VPNs are not an all-in-one solution but an important layer in your overall security strategy. Read on to find more answers to “What is a VPN?” and other important details.

Featured Partners: Cybersecurity Software

eSecurity Planet may receive a commission from merchants for referrals from this website

How Virtual Private Networks (VPNs) Work

VPNs create a network within a network by encrypting data and passing it through a “tunnel.” To the user, it appears to be a point-to-point connection to the corporate server (though perhaps with some latency; more on that later). There’s quite a bit going on under the hood.

Encryption: Individual packets of data are encrypted by military-spec technology. This Advanced Encryption Standard (AES) technology renders the packets unreadable to systems without the key.

Routing: A tunneling protocol creates a datagram to enclose the data packet and route it through other servers on the virtual network. Each server-to-server connection is called a “hop.” A multi-hop architecture is preferable for some applications because of its added security (packets are re-encrypted for each hop), but it can introduce latency.

Authentication: Users must prove to the VPN they are who they claim to be to have access to the network. Two-factor authentication relies on something the person has (a particular device, a fob or card, a virtual key, for example) and something a person knows (a password). Authentication is the most vulnerable process in a VPN due to poor password hygiene and other unsafe user practices.

Categories of VPN

Broadly, there are three categories of VPN.

Personal VPN

Consumer-grade VPNs don’t connect to an enterprise server. These connect to a provider’s servers, offering more secure Internet browsing from a home computer or mobile device. Aside from this layer of security, a personal VPN can be configured to circumvent geographic blocking of streaming content by “spoofing” your connection and making you appear to be somewhere you’re not.

Site-to-site VPN

Largely used by large corporations, site-to-site VPNs connect concrete physical locations, such as branch offices, allowing the safe sharing of data and applications on each other’s servers. They can also connect supply chain partners within your extranet.

Remote-access VPNs

These are the VPN types for work-from-home agents and road warriors. A remote access VPN connects the user to corporate servers and resources. It allows access to data and applications from anywhere with an Internet connection. It might also be used in conjunction with a site-to-site VPN.

Understanding VPN Security

It’s best to understand how VPN security works by breaking it down into its three primary functions: Authentication, encryption, and tunneling.

Authentication

The role of identity management in a VPN context is straightforward: Ensure that the user is who he or she says. The staple tools for authenticating a user are the user name and password.

Passwords: A core element of authentication, passwords are the bane of security managers. According to the 2023 Verizon Data Breach Investigations Report, almost half of business data breaches were due to compromised credentials, many due to weak passwords.

Users must create memorable passwords that are very difficult to guess and unique to sometimes dozens of accounts. They often don’t. A Harris poll reported that 59 percent of American users have birthdays or names in their passwords (information easily mined from social media accounts), two-thirds use the same password across multiple accounts, and 43 percent have shared a password with someone else.

Password management software helps with user password hygiene by generating truly random passwords for each account and storing them in a virtual vault accessible only by using a master password. Google’s Chrome browser incorporates a password manager. An encryption key for two-factor authentication often accompanies them.

Two-Factor Authentication (2FA): Most commonly, two-factor authentication relies on something the user knows (a password, for example) and something a user has (a passcard, fob, virtual key on a USB stick, a code from an SMS message, even a fingerprint). This enhances security: physical items can be lost or stolen, but a password is still required for access. Likewise, compromised passwords can’t access accounts without the second authentication factor.

Zero Trust Architecture and Privileged Access Management: VPNs allow users into the perimeter of a business system. However, some system elements shouldn’t be accessed by everyone with credentials. A zero-trust architecture assumes minimal privileges for users within the perimeter. Micro-perimeters protect more sensitive elements within a 2FA system.

Privileged access management (PAM) takes this a step further. PAM solutions control and monitor users with exceptional levels of privilege. Since the user and activity are recorded, they can be configured as a “break glass in case of emergency” tool when no one is available with the necessary privileges to deal with an issue.

Encryption

Encryption substitutes characters for each other according to an algorithm, turning them into a cipher, which can only be read with the corresponding key. A very simple example: “algorithm,” with every character raised by one character alphabetically, becomes “bmhpsuin,” which would be difficult to decipher if the key – moving each character down one alphabetically – wasn’t so obvious.

The military spec Advanced Encryption Standard (AES) technology VPNs rely on is a little more sophisticated. In the highest strength 256-bit AES encryption, 14 operations are performed on the data: 

  • Data is broken up into four-by-four character blocks.
  • Expanded “round” keys are generated from the original key.
  • Round keys are added to the four-by-four character blocks.
  • Each byte is substituted with another byte.
  • Each byte is shifted to the left or right within its row.
  • Columns are mixed according to a predetermined matrix.
  • Another round key is added, then the process is repeated.

The result is virtually impenetrable encryption. AES is also available in 128-bit and 64-bit versions, but the 256-bit version is the industry standard.

Perfect Forward Secrecy (PSF): PSF prevents the decryption of sessions recorded in the past by using a one-time encryption key. If someone manages to capture an encryption key, it won’t compromise data other than that single session.

Tunneling

Now that your data is safely encrypted and ready to go, a tunneling protocol gets it from the endpoint to the endpoint, whether directly through a site-to-site connection or multiple hops to and from a remote access connection.

VPNs use several protocols depending on network type and hardware/software compatibility. Five protocols are predominant.

Open VPN: An open-source security protocol widely considered the industry standard for VPNs.

Internet Key Exchange (IKE): It is the protocol for Internet Protocol Security (IPSec). It has native support for Extensible Authentication Protocol (EAP), which allows more seamless hand-offs between mobile networks.

WireGuard: Valued for its speed, it uses User Datagram Protocol (UDP) to tunnel over Transmission Control Protocol (TCP). This avoids issues that can occur when stacking TCP connections.

Datagram Transport Layer Security (DTLS): Used in products from Cisco Systems Inc., it also works around the TCP-over-TCP issues sometimes experienced with Transport Layer Security (TLS) protocols like Open VPN.

Open SSH (Secure Shell): Provides a limited number of secure channels in a client-server architecture. It is integrated into Windows, Mac, and most Linux operating systems.

Additional Features

VPNs should incorporate several additional security features. A kill switch shuts down the client or the application if the VPN connection is lost. A VPN should support anti-virus and intrusion detection technologies, digital certificates, and logging and auditing.

5 Benefits of Using a VPN

Security

Security is the whole point of a VPN. However, a VPN provides security on some levels. Encryption secures data in transit. Access management secures your enterprise network. Tunneling secures your anonymity and location. From this protection, many benefits follow.

Preventing Throttling

Many Internet service providers will try to cap data usage; after a particular limit, they will slow data transfer to your device. Likewise, ISPs may throttle your bandwidth for access to particular types of sites that place high demands on their network. Since your provider can’t see your traffic and your identity is obscured, a VPN makes throttling difficult.

Support & Maintenance

A VPN provider can offload some of the support and maintenance costs of managing a network. Scaling a network can be as simple as buying new licenses. These features are especially advantageous when using a VPN to build a wide-area network (WAN).

Protection From Wi-Fi Threats

Public wireless Internet access is a particular vulnerability, especially for road warriors who need access from cafes, airports, hotels, etc. This can expose your business to multiple threats.

  • Man-in-the-middle attacks intercept data in transit between the user and the Wi-Fi hotspot, collecting unsecured traffic, including user names, passwords, and sensitive documents.
  • Spoofing of login pages for legitimate public networks so users unsuspectingly log in to a fake network, which collects supposedly secure data.
  • Malware distributed through the public network can install sophisticated attacks on a user’s device, spreading through the corporate network and compromising the entire enterprise.

VPNs offer protection against such attacks. All public wireless access to enterprise networks must be tunneled through a VPN if an outright ban is not practical.

Protection of Extranet Connections

You don’t have control over the security practices of your supply chain partners who access your extranet. A VPN helps ensure the credentials of outside users and impose your security regimen on them.

5 Drawbacks of VPNs

Slower Connection Speed

Your traffic makes brief stops at servers along the way, so some latency is inevitable. Fortunately, with most reputable VPN services, this delay is so short as to be barely noticeable for all but the most time-dependent applications (gaming, for example). However, a poorly configured VPN can make a connection unusable. If it’s a concern, minimize the number of hops in your connection.

VPNs Can Be Illegal

In a handful of countries, VPN use is highly restricted; in others, it’s outright illegal. Naturally, these tend to be regimes where you don’t want to run afoul of the law. These are nations committed to control over information consumption and unfettered surveillance of their populations.

Nations with an outright ban on VPN use are Belarus, Iraq, North Korea, Oman, and Turkmenistan. In China, Egypt, India, Iran, Russia, Turkiye, the United Arab Emirates, and Uganda, only government-approved (and monitored) VPNs are permitted.

Some Services Won’t Work

Some online services refuse to do business with a VPN client for various reasons. Streaming services want to maintain their geographic blocking. Online stores have different prices in different regions. Banks often refuse to service a VPN client to adhere to restrictions on online banking from outside the country. There are hacks to get around these blocks, but they will violate your terms of service.

Privacy Is Not Guaranteed

Cookies, trackers, and other fragments of information in your browser can reveal your identity, or at least your profile, to sites you visit, regardless of a VPN. Also, on the legal front, a subpoena or court order can compel a VPN provider to turn over whatever logs they may possess. Fortunately, many reputable providers keep no logs of your use.

VPNs Can Be Expensive

A VPN service can cost up to $30 monthly for a single user. Most packages are much more reasonable, but you will need a longer-term contract for the best pricing. There are economies of scale for team and enterprise licensing, but the cost can pile up as you add licenses.

Free VPN services can be treacherous. Reputable VPNs charge license fees for infrastructure, maintenance, and operating costs. Free VPNs package your customer information and sell it to the highest bidder. Do not use them.

4 Types of VPN Connection

Firewall-based VPN

These networks layer the security features of a firewall – including packet filtering, user-based access control, proxy service, and SSL inspection – over VPN functionality.

Hardware-based VPN

A hardware-based VPN provides higher throughput, better performance, and improved reliability and physical security. Hardware is expensive and less portable, but its other features are advantageous for site-to-site VPNs.

Software-based VPN

Software-based VPNs are best for mobile and heterogeneous environments. They have the portability and flexibility to manage a variety of hardware, locations, firewall requirements, routers, etc.

Secure Socket Layer (SSL) VPN

An SSL VPN allows connection through a Web browser rather than dedicated client software.

Who Needs a VPN? Who doesn’t?

Experts are divided over the utility and necessity of VPN use. Many home users don’t need one since most Internet traffic travels over the more secure HTTPS protocol rather than vulnerable HTTP. Its expense and effect on download speed might not be worth the incremental additional security. And a truly anonymous browser like Firefox can make a VPN redundant for many uses.

However, a VPN offers extra protection in conditions where credentials could be exposed – for example, public WiFi networks.

Remote business traffic should be tunneled through a VPN. Harvested credentials can expose an entire business network to corruption and exploitation. Unencrypted spreadsheets and databases can reveal business strategies to competitors. A VPN can also shield a company from poor security practices of supply chain partners accessing an extranet.

Frequently Asked Questions

Can I Still Be Tracked While Using a VPN?

Yes. Your data in transit is safely encrypted, and your IP address is obscured. Still, authorities can demand your traffic records from your provider (so choose a provider with a no-logging system, for example, NordVPN). Additionally, cookies and trackers are still deposited (unless you are using a truly anonymous browser), and your browser harbors fragments of information that can be built into a partial fingerprint.

How Much Does a VPN Cost?

Anywhere from nothing to a lot. One premium service provider tops out at almost $30 monthly for a home user, but that’s extreme. Most are under $10 a month and even less with a longer-term contract — SurfShark offers plans from $1.99 a month, for example. The quality of a VPN service is most often reflected in its price, which also goes for free VPN services.

Do I Need a VPN At Home?

There are good reasons to use a VPN at home. It does obscure your identity, allows you to work around geo-blocking by some streaming and retail providers, and helps avoid data and bandwidth caps. However, some may find the cost and latency outweigh the advantages.

Can I Install a VPN For Free?

Yes. But don’t. Reputable VPN providers charge fees to pay for their operational costs. Free VPN providers cover their costs by bundling and selling your traffic information. Since protecting your identity is one of the goals of a VPN, a free VPN service is worth exactly what it costs.

On the other hand, a business with competent network management staff can build and roll out its own VPN at a minimal cost, especially if a cloud infrastructure allows it to forgo new hardware. There is open-source software available to create your own. In exchange for more precise control over your network, you bring maintenance and support costs on board instead of leaving them with a provider.

What Is The Best VPN?

There is no best VPN, only one that’s best for you. There are many considerations, such as reliability, geographic reach, speed, cost, and security. You can begin your research with our article 6 Best Enterprise VPN Solutions for 2024 if you are a business user. In addition, several network and security vendors have VPN offerings, including:

Bottom Line: Get More Security Online with the Help of a VPN

A VPN is a baseline level of security for enterprises with distributed workers, multiple branch offices, or connected supply chain partners. It is insufficient but is a core part of a layered security strategy. It also offers advantages for consumer users, although these might come at a price and performance premium.

Whether you are considering installing a VPN or evaluating the fit of your current VPN, there are plenty of resources in the TechAdvice universe for your reference, including news and reviews, both individual and head-to-head.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Dave Webb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis