USA: Security considerations for VPNs (2024)

Cybersecurity threats have made this a top-of-mind concern for companies of all shapes and sizes, and even more so in today's decentralised work environment. From publicly-traded conglomerates, to venture-backed start-ups, to family-owned small businesses, the COVID-19 pandemic forced thousands of companies and millions of workers to shift to remote work paradigms. This decentralisation of the workplace forced company executives to implement solutions that would not only ensure short-term viability in the face of a global pandemic, but ultimately shape the future of the organisation. While the Chief People Officer was confronting difficult questions over the very nature of work, the Chief Information Officer was focused on how to protect organisational assets from cyber criminals seeking to exploit this new work-from-home environment and the accompanying increase of cyber attacks.

This article will explore briefly some of the tools cybersecurity professionals can employ to confront these challenges, with a specific focus on deploying VPNs. This article discusses what a VPN is, how it functions, potential vulnerabilities impacting VPNs, key considerations for securing VPNs, and responsible use of VPNs.

Cybersecurity tools

There are a number of tools that cybersecurity professionals can leverage to protect their organisation's assets and infrastructure, including deploying private web browsers, securing communications through Hypertext Transfer Protocol Secure ('HTTPS'),or establishing VPNs.

Private web browsers

Private web browsers are frequently offered as an optional feature within traditional web browsers. There are also standalone web browsers that can be downloaded and used as an alternative to traditional browsers. But regardless of how a private web browser is employed, the functionality is similar. When browsing the web using a traditional web browser, the browser will catalog and store information about the user, including saving each URL the user visits and storing any number of cookies that are in turn shared with third-parties to further track users. In contrast, when a user opens a private browsing window (or uses a standalone private web browser) that browser session is isolated from the main browser and information is not shared with the main browser. A private web browser does not save a user's browsing history and any cookies generated during the browsing session are cleared when the user closes the session. One of the primary uses for private web browsers is to prevent other users (say on a shared machine) from seeing another user's web activity. A corollary use case for deploying private web browsers on shared machines is that the browser erases any usernames, passwords, or other personal information entered into the browser when the session is ended.

HTTPS

As the name suggests, HTTPSis a more secure version of HTTP, which is the predominant protocol used to transfer data between a web browser and any given website. Data transfers over HTTPS are encrypted, thus providing a higher-level of security in situations where privacy is paramount, for example when accessing financial services or an email server. In fact, most modern browsers will flag websites that do not employ HTTPS as not secure and restrict user access. HTTPS encrypts web communications through a protocol called Transport Layer Security ('TLS'), which in turn relies on asymmetric cryptography. Asymmetric cryptography involves the use of a private key (controlled by the owner of a website) and public key (which is available to any user who wants to interact with that website). A user's public key encrypts data, which can only be decrypted by the private key. Unencrypted data transferred over HTTP can be viewed by monitoring software. In contrast, data encrypted by a user's public key and transmitted over HTTPS is rendered nonsensical until it is decrypted by the website operator's private key. The primary benefit of HTTPS is that a threat-actor who is monitoring a user's web session will only be able to see what website is visited, not the activity that occurred on that website.

VPNs

Similarly, a VPN encrypts communications, however, there are key differences. Chiefly, a VPN connection hides a user's Internet Protocol ('IP') address by rerouting it through a server that is operated by a remote host. Thus, the VPN server becomes the source of the data, rather than my machine. The advantage of this is (a) hiding a user's data from both the user's Internet Service Provider ('ISP') and any other third-parties who might want to monitor the data and (b) hiding the user's location. For example, as I write this sentence, I have the VPN service which I have installed on my local machine turned off, thus my ISP can see that I am writing from my home in Washington, D.C. However, as I write this next sentence, I have turned my VPN service on and directed it to route my web traffic through a server controlled by the VPN but physically located in Paris, France. Thus, at this moment, for all my ISP (or anyone else who monitors my web traffic) knows, I could be writing this from a cafe on Avenue des Champs-Elysees. While a VPN provides a number of additional privacy benefits (for example, accessing regional content that may otherwise be restricted), the most useful case for employing a VPN is that it creates an encrypted tunnel between a server and a remote device, thus shielding any communication that flows through the tunnel from third-parties. As a result, a VPN allows an employee to work remotely and still securely connect to and communicate within the corporate network.

The importance of employing a holistic strategy

Each of these tools has advantages and disadvantages but importantly, they are by no means exclusive. There is no need to choose one tool to the exclusion of another and the savvy cybersecurity professional will inventory the organisation's entire security environment and employ each of these tools where they make sense. However, when assessing how to secure the flow of information among employees who are operating more frequently in a remote-work environment, cybersecurity professionals should consider the VPN to be their primary line of defence. Thus it is important to understand not only what advantages a VPN provides, but the vulnerabilities that still exist.

VPN vulnerabilities

According to an Upwork Future Workforce Report, over the next five years the number of remote workers is expected to nearly double pre-pandemic levels². By 2025, over 36 million Americans will work remotely, an increase of nearly 17 million people from pre-pandemic rates³. This rapid shift in the work environment has fuelled an increase in the adoption of VPNs. In the US, less than 7% of the country's workforce was working remotely, but by the end of 2021 that number surged to over 35%. By 2027, the global market for VPNs is projected to reach over $107 billion. By the year 2027, the market is projected to reach $107.5 billion⁴. As to be expected, cybercriminals are already exploiting the trend. According to a 2021 report from Nuspire, there was a 1,916% increase in attacks against Fortinet's SSL-VPN and a 1,527% increase in Pulse Connect Secure VPN in Q1 2021⁵. Given this reality, cybersecurity professionals need to understand what vulnerabilities still exist when utilising a VPN to manage a remote workforce.

Vulnerable to RCE

Remote Code Execution ('RCE') is a classification of software security flaws that allows a threat actor to access a device, no matter where that device is located, and execute malicious code. In August 2021, the U.S. National Institute for Standards and Technology ('NIST') alerted the cybersecurity community through its National Vulnerability Database ('NVD') that vulnerabilities had been discovered on certain business VPN routers that could allow an attacker to remotely execute code, execute root level commands, and cause denial of service. NIST classified the vulnerabilities as high to critical according to its NVD Vulnerability Severity Ratings⁶.

VPNs do not protect against social engineering attacks

As with most cybersecurity controls, humans are one of the weakest links with respect to VPN security. As VPNs continue to rely upon authentication paradigms such as unique user names and single factor passwords, these credentials may be compromised through social engineering attacks. In particular, users may be duped into providing VPN credentials through phishing attacks sent via company email, spoofed websites masquerading as legitimate websites requesting login credentials, or even malicious websites and email attachments. Aside from adding multi-factor authentication challenges, there is little that can be done to reduce this risk other than continuing to train personnel on cybersecurity best practices and maintaining a culture of compliance and vigilance.

Implementation and use considerations

While cybersecurity professionals must continue to stay abreast to a VPN's security vulnerabilities, there are a number of implementation issues to consider when deploying a VPN.

Site-to-site vs. remote access

A site-to-site VPN is a permanent connection that can create an encrypted link between an organisation's existing offices. Site-to-site VPNs are most often deployed by organisations that maintain multiple offices in different geographic locations that need to access the organisation's network on a persistent basis. Effectively, a site-to-site solution allows an organisation to securely connect its network to all of its remote offices and then share resources as a single network. By contrast, a remote-access VPN is a temporary connection between users' endpoint devices and the organisation's local area network ('LAN'), and is typically deployed to access data centre applications. When an organisation utilises an in-house data centre, has sensitive applications, or is confronted with minimal bandwidth, a traditional hub-and-spoke model built on a site-to-site VPN may be the more secure solution. However, if applications and data predominantly reside on a cloud server, providing access to such cloud instance through a remote-access VPN may offer a better solution.

Split tunneling

When deploying a VPN, cybersecurity professionals must be mindful of the volume of data flowing through the tunnel and whether that volume may cause congestion and slow transfer speeds. Split-tunneling allows an organisation to divide the flow of data, sending some data through the encrypted VPN and other data through a separate tunnel on the open network. As a result, a user is able to access the organisation network or a foreign network while also maintaining a connection to a local network. The obvious drawback of split-tunneling is that data diverted outside the VPN is left vulnerable to attackers. Cybersecurity professionals must take care to establish appropriate permissions concerning what data can be diverted and what data must remain inside the VPN.

The kill switch

A VPN kill switch will automatically disconnect a device from the internet if the VPN connection is severed, thus blocking any further data transfers until the connection is restored. Kill switches are useful when an internet connection is unreliable, a user switches VPN servers, or a device undergoes a temporary software update. Most VPNs have their kill switch active by default and there is very little reason to change that setting. The primary question for cybersecurity professionals is whether to employ a system-level or application level kill switch. A system-level kill switch monitors when a user is disconnected from the VPN service and then completely blocks a user's device from connecting to the internet until the VPN connection is restored. A system-level kill switch is the most effective at preventing IP leaks. On the other hand, an application-level VPN kill switch lets an administrator choose specific applications that will be blocked from accessing the internet should the VPN connection be severed. While an application-level switch does allow for data transfer to occur outside of a secure VPN connection, it is more flexible solution than a system-level kill switch.

Different tunnel protocols

On its own, the tunnel created by a VPN is not secure unless accompanied by an encryption protocol. What protocol is employed varies by VPN provider and each protocol impacts security, speed, capabilities, and vulnerabilities.

PPTP

Point-to-Point Tunneling Protocol ('PPTP') is an older protocol and was developed for creating a VPN over a dial-up network. PPTP is available on nearly every VPN-capable platform or device and as a result, PPTP has been a long-established protocol for corporate VPN networks. And while PPTP is a ubiquitous protocol that is simple and inexpensive to implement, it is by far the least secure encryption option. Since PPTP was included with Windows 95 OSR2 in 1999, security experts have uncovered a number of security vulnerabilities. Today, it should be employed as a last resort to secure a VPN.

L2TP

Layer 2 Tunnel Protocol ('L2TP')⁷ is built into most VPN-capable devices, making it just as straightforward to implement as PPTP. The primary concern with L2TP is that some VPNs do not implement the protocol effectively, using pre-shared keys that can be downloaded from the service's website. An attacker could use the pre-shared key to impersonate a VPN server and then monitor encrypted traffic or even inject code into the VPN tunnel. That said, L2TP is regarded as secure as long as the VPN provider does not rely on published pre-shared keys. Moreover, the protocols built-in compatibility with many devices make it an attractive implementation option.

OpenVPN

OpenVPN is an open-source technology and considered by many to be the current industry standard. The protocol is actually comprised of two encryption channels - a data channel and a control channel - which, when configured properly, can increase protection. The data channel encryption secures the data which is transferred through the tunnel; whereas the control channel secures the tunnel between a VPN server and a remote device. To gain maximum security, both the data and the control channel encryption should be as strong as possible. However, the stronger the encryption, the slower the connection. As a result, some VPN providers will scale back the level of encryption on the data channel. So when assessing an OpenVPN protocol, cybersecurity professionals should know that when a VPN provider advertises a certain level of encryption, that level-may not necessarily apply to both the data and control channels.

SSTP

Secure Docket Tunneling Protocol ('SSTP') offers similar advantages to OpenVPN. Unlike OpenVPN, however, SSTP is not open-source. Rather it is a proprietary standard controlled by Microsoft Corporation. This can be an advantage when integrating the VPN with Windows because the protocol will be easier to manage and more stable than OpenVPN. However, the code is not available for the public to scrutinise its adequacy. Moreover, while SSTP is available for Linux VPNs and Mac OS, it is primarily a Windows platform.

IKEv2

Internet Key Exchange 2 ('IKEv2') is a protocol is known for its ability to automatically re-establish a VPN connection when a user loses their internet connection. As such, the protocol is an ideal choice for organisations whose Bring Your Own Device policies allow for an increased number of connected mobile devices that may frequently change networks (such as between a 5G cell connection and a home WiFi connection or when entering/leaving a train tunnel). However, IKEv2 is not as common as other protocols and thus it is supported on fewer platforms compared to OpenVPN or L2TP.

WireGuard

Like OpenSource VPN, WireGuard is an open-source protocol. It was originally released only for Linux, but it has since been deployed across a number of platforms. The protocol is still under development, though it is already considered one of the fastest, most secure, and easier-to-implement VPN solutions. This ease of use is underscored by the fact that WireGuard consists of approximately 4,000 lines of code; whereas by comparison, OpenSource VPN consists of approximately 600,000. Further, the cryptography that WireGuard utilises appears to provide faster bandwidth compared to other VPN solutions, thus alleviating pressure to split data transfers out of the VPN tunnel.

Conclusion

In sum, the exponential growth in remote work brought on by the COVID-19 pandemic has forced cybersecurity professionals to confront how to secure their organisation's data and infrastructure in a decentralised work environment. VPNs continue to offer one of the most secure solutions to support remote workforce connectivity to sensitive systems and data. Yet, VPNs are not risk free. Cybersecurity professionals must continue to do the hard work of assessing existing VPN vulnerabilities, implementing VPNs in a manner that best suites the workforce needs and existing IT infrastructure, and configuring VPN solutions in such a way that adequately balances security, regulatory, and enforcement risks against organisational resources

Alaap Shah Member of the Firm
[emailprotected]
Christopher Taylor Associate
[emailprotected]
Epstein Becker & Green, P.C., Washington, DC

1. See How Much Data Is Created Every Day in 2022? TechJury, 6 February 2022 at https://techjury.net/blog/how-much-data-is-created-every-day/#gref
2. See Upwork: Economist Report: Future Workforce (2020), retrieved at https://www.upwork.com/press/releases/economist-report-future-workforce?utm_source=PartnerCentric&utm_medium=affiliate&utm_campaign=2033810_smallbiztrends&irclickid=Ub0VFaRgnxyITenxFLXWtyMDUkGRbd38zX4XVM0&irgwc=1?campaign=2033810&source=Upwork_Impact
3. Id.
4. See Research and Markets: Global Virtual Private Network (VPN) Market Report 2020: VPN Adoption Surges as COVID-19 Pandemic Leads to a Rise in Remote Work and WFM Culture (November 2020), retrieved at https://www.businesswire.com/news/home/20201127005318/en/Global-Virtual-Private-Network-VPN-Market-Report-2020-VPN-Adoption-Surges-as-COVID-19-Pandemic-Leads-to-a-Rise-in-Remote-Work-and-WFM-Culture---ResearchAndMarkets.com
5. See Nuspire: Q1 Threat Report, retrieved at https://www.nuspire.com/resources/q1-2021-threat-report/
6. See NIST National Vulnerability Database: CVE-2021-1609 and CVE 2021-1610. We also note that prior vulnerabilities were reported which could allow an attacker to move from a root directory to other parts of a restricted file system and consequently may provide the attacker the ability to access and read restricted files on the server. See CVE-2018-013379 and See CVE-2019-11510.
7. Note that L2TP is almost universally implemented with the IPsec authentication suite thus many professionals more accurately describe the protocol as L2TP/IPSec.