How to choose the best VPN for security and privacy

Virtual private networks still have a place in the enterprise for protecting data and networks. Here's what you need to know when selecting a VPN.

VPN / network security
Putilich / Getty Images

Enterprise choices for virtual private networks (VPNs) used to be so simple. You had to choose between two protocols and a small number of suppliers. Those days are gone. Thanks to the pandemic, we have more remote workers than ever, and they need more sophisticated protection. And as the war in Ukraine continues, more people are turning to VPNs to get around blocks imposed by Russia and other authoritarian governments, such as that shown by Cloudflare’s data on VPN usage.

VPNs may not be the complete answer for securing remote workers. It didn’t help when news reports about the latest hacks on Okta and last year’s Colonial Pipeline attack both leveraged stolen VPN credentials or when hackers found their way into NordVPN, TorGuard and VikingVPN.

Certainly, VPNs have their issues, such as a lack of securing endpoint networks, blind spots when securing cloud computing, and missing multi-factor authentication (MFA) controls. That post mentioned several other strategies for securing your remote workflow, including expanding zero-trust networking and using a combination of products such as secure access service edge tools, identity and access management and virtual desktops.

Where VPNs matter for enterprises

A VPN is still useful and perhaps essential to a modern mostly remote workplace. They can come into play in these four scenarios:

  • Protect data on public (and home) networks from being intercepted in a man-in-the-middle attack. Encrypting your network traffic makes it more difficult for the middlemen to snoop and hoover it up.
  • Protect your smartphone from being tracked, which is a separate issue from the above: Most users don’t have any VPN software installed on their phones. Mobile VPN products, combined with a more secure DNS (such as Cloudflare’s Warp), should be on all business users’ mobile devices.
  • As a helpful tool for frequent travelers, especially when you go to countries with autocratic regimes or that censor particular internet destinations. Alternatively, if you need to support users in far-flung locations, it might make sense to employ a VPN with a nearby endpoint.
  • Prevent your private data from leaking to your ISP, although your VPN provider could still obtain this information if they aren’t as diligent as they should be.

This last item requires more explanation and is one of the reasons NordVPN and others have seen more scrutiny. Sadly, the consumer VPN providers have done a lousy job by overpromising and underdelivering on their security and privacy claims. Many make a lot of noise about “military-grade security” and “100% no leaked data.” These are utter nonsense because there is no common military security standard and every VPN tracks something somewhere and somehow. Another reason: Some VPNs are nothing more than tracking apps masquerading as legit software. Researchers have uncovered Russian tracking software that has been quickly embedded in various VPNs, and some of them target Ukrainian users. 

Yael Grauer worked with a team of security researchers from the University of Michigan. Grauer found that of the 16 well-known VPN services the team tested, 12 made exaggerated claims about how much protection they could provide. Grauer’s analysis also delineates what data is leaked by each VPN, how long they retain customer logs, and other details that can be used when you analyze the business VPN behavior. Some of these use cases could be partially satisfied if you were diligent about using encrypted email products, connecting to secure DNS servers, using complex passwords and MFA with all of our logins and avoiding public Wi-Fi hotspots. That isn’t always possible, which is why we still need VPNs to protect our conversations.

Bright signs on the VPN scene

Thanks to the broader interest in VPNs during the pandemic, they are getting better and deserve another look. Part of the issue with VPNs is ignoring the marketing drivel, taking a deeper dive into the technology, and finding the right place for a VPN in your security stack. Indeed, they are helpful, particularly when combined with software-defined security infrastructure that can encrypt traffic across the internet. Let’s look at several recent trends and other developments and make some recommendations for corporate VPN deployment for the modern era.

First, there is a wider protocol field to choose from, making them more flexible and appealing. More than a decade ago, there were just two: IPSec and SSL. Since then, there have been newer protocols designed for optimizing connection speed and overall better performance. For example, the IETF has released v2 of Internet Key Exchange (IKE), which improves upon IPSec tunneling with quicker reconnections and is built into most current endpoint operating systems. IKEv2 is also supported by many enterprise VPNs, such as Cisco’s SSL AnyConnect and Juniper’s VPN products.

OpenVPN has several projects using the name—the protocol, the VPN server code, and various clients. Its protocol has improved upon SSL and has become widely adopted, with several proprietary versions that the consumer VPN vendors such as Windscribe, Hotspot Shield, NordVPN and ExpressVPN use. Both IKEv2 and OpenVPN protocols can employ AES with 256-bit encryption keys, the contemporary standard.

Then there is WireGuard, which has several projects, including a protocol that some consumer VPNs also support and provides its own VPN server and client code. Its proponents claim it to be even faster and easier to use than OpenVPN; you can find parts of it in the Linux v5.6 kernel.

OpenVPN and WireGuard can also run on any UDP (and in the case of OpenVPN, TCP) port, making them more resilient in situations where state actors try to block all VPN usage. WireGuard is also designed to maintain connections when switching VPN servers.

A by-product of the OpenVPN movement is that the consumer VPNs pay much more attention to open source. This is good because more eyes on the code can mean that bugs and data leaks can be fixed, making for better security. “Openness” has several dimensions worth exploring because the term is subject to some imprecision by the consumer VPN providers in their marketing descriptions.

Questions to ask VPN vendors

  • How does the vendor perform its security audits (internally or through a neutral third party), and how are these published? The audits, in particular, can reveal VPNs that abuse data privacy or that leak customer data and whether both the client and server codebases are completely open or not.
  • How does the vendor publish transparency reports on various law enforcement interactions? This information can give corporate security managers a general idea of what information has been disclosed in the past, although that is no guarantee of what they will do in the future.
  • What portion of its code is open source, and what is proprietary? This applies both to the client and server versions and the various communication protocols. While the consumer VPN vendors have moved toward using open source, most commercial VPN vendors have not. One notable exception is Perimeter 81, which has a combination of a VPN, firewall, web gateway and other security tools using some open source.
  • How does the VPN integrate with identity and secure infrastructure products? For example, Sonicwall’s Mobile Connect supports Ping, Okta and OneLogin identity providers; F5’s Big-IP Access Policy Manager supports FIDO U2F tokens; and Palo Alto Networks’ Okyo Garde integrates with their Prisma Access secure edge products. This makes them more compelling for business use, provided you configure the various products adequately take advantage of these more secure methods.

Finally, an interesting situation is the rise of a blockchain-based distributed VPN infrastructure. This is a natural place for a VPN and can be used to obfuscate traffic further and make it harder to track across a distributed network (something that Tor and Onion routers and Napster have previously demonstrated). An early leader is the Android-based dVPN from Sentinel.co. The notion behind them is that a blockchain-like infrastructure can prove that a VPN delivers SLA-like bandwidth and a particular encryption level and does not leak any private data. Sentinel offers open-source, cross-platform distributed VPN clients they claim are resilient, secure, and highly scalable and can be built into custom applications.

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022