A neat solution for remote workers and road warriors can be a separate managed VPN appliance. For instance CISCO’s Meraki system includes a little box that you can carry with you that provides a set of network ports, and even a WiFi connection. Workers can connect back to the office with this box, have a computer, printer, VOIP phone, all managed by the box. It all fits inside the Meraki security appliance framework, so is quite a neat idea all round.
It’s also best not to have any technical discussions about xerox machines or audio cassette high-speed dubbing.
Thanks for all the replies. Very helpful.
This is a pretty badass definition of what a VPN is and how it works.
I work in IT security and I often have to explain how it works, one of the easiest ways to understand a VPN is think of it like a protected little tunnel from one end to the other where none can see what you’re doing.
If you’re interested here are a couple of resources that may help:
How Tunnel Encryption Works - https://computer.howstuffworks.com/vpn7.htm
A great breakdown of Encryption - https://privacyaustralia.net/complete-guide-encryption/
Also VPN tunnels don’t have to be encrypted if they are implemented across a trusted private network. They are a useful technique for separating traffic and are often used in private company networks.
Many of the VPN services advertised on the Internet are SOCKS proxies. You need an account with a service provider. The range of services they provide are useful for avoiding Internet hazards and annoyances.
A secure VPN will encrypt ALL traffic between two points on an insecure network are a different thing. Someone has to control both ends and configure equipment at both ends. The simple case is to connect two offices together over the internet. You would do that by configuring the routers at each end to agree a permanent VPN tunnel. The public internet is a convenient insecure public network. Before the Internet became ubiquitous, the offices would be connected through a dedicated private circuit, bought at some expense from a Telco. This is still the way in which many offices are connected together, where the public Internet is unreliable.
A secure VPN for road warriors connecting to their private company network is more complicated case than just connecting two offices because it involves a laptop the separation of local traffic and VPN traffic. Care must be exercised to ensure the laptop does not become a backdoor into the private network. It is difficult to control what goes on many remote laptops. They can be stolen, so there is usually some elaborate software and ID hardware solution in place that requires a lot of support when it goes wrong.
VPN is a much re-used term. It was used to refer to private voice networks and various other kinds of data network before the public Internet came along and confused matters.
As long as any client has the ability to do promiscuous listening an un-encrypted stream on a corporate network provides little security.
Some form of end-to-end encryption is the only way to ensure communication is likely private.
Some pretty good explanations.
Basically, each end of the VPN is a program that ties into the guts of the network transmission, and intercepts the packets headed in and out of the computer.
These programs talk to each other - your VPN logon allows the VPN program to find and handshake with the other end, a similar program. Typically, all the traffic between the two is encrypted; the bonus is that nobody can read what’s going by, given today’s fairly good encryption.
“Split tunneling” refers to a configuration option for your VPN program - does it intercept and redirect all traffic, or just he traffic it detects that is intended for the other end (say, only the data to and form your office network)? If some of your home computer traffic can go to the plain internet, and at the same time some packets go to the office network, then if the home computer has become another entry way into the office network, if it is running the wrong sort of software (i.e. infected with malware). Hence the dislike of split tunnels - send all traffic through the VPN, or none. (Then, if you browse the internet while on office VPN, all your traffic goes to the office network and out the office’s firewall, where the company’s fancy firewall can ensure you are less likely to be accessing problem content)
Another risk to roaming computers is that the first hop is usually Wi-Fi, meaning you are yelling out your conversation packets to anyone in range to listen. If you haven’t been clever, you may also have your disk shared from when you needed it so at home. Besides the ability to use a public VPN’s entry port address onto the internet instead of your own, for reasons some of which we can’t discuss here - if you are, say, in Starbucks or the airport lounge and use a VPN, all anyone will see is your VPN traffic - that you are sending encrypted packets to an address that belongs to the VPN provider. They can’t see what it is, an as long as “split tunnel” is not allowed, any attempts to connect to your PC’s disk shares from nearby PC’s on local Wi-Fi will be rejected because the VPN program on your PC is only allowing communication from the VPN provider. (This is one of the benefits NordVPN among others are touting for their product). (There is also a few tricks where a PC can become “monkey in the middle” for Wifi and pretend it is the wifi spot, relay and thus intercept all your traffic, fake certain websites, etc. VPN’s help avoid this.)
(“But, but, but… I go to HTTPS sites which are encrypted.” Yes, but the destination is not. Anyone reading your traffic will be able to tell you are sending and receiving a lot of traffic from, say, facebook.com or pornhub,com, even if they can’t see what the payload is - they can read the destination. With a VPN, all traffic is just encrypted globs of data, the only visible detail is the VPN destination.)
The much advertised VPN services provide a prophylactic technique using encryption and proxy servers to avoid some of the hazards of using the public internet. They have pros and cons.
Point to point VPNs provided by the IT departments to connect their roving employees or small offices to the organisations internal network using encrypted tunnels across the public Internet are quite a different technique with their own set of features and issues.
Some corporations with extensive private networks also use VPNs internally for extra security. Any private network of any size supporting many thousands of employees will be pretty near impossible to make secure. People are people and some will accidentally connect a laptop full of malware to their office network. Network managers have a very hard job dealing with infections that can bring down large private networks. A major incident on a large corporate network can seriously degrade all the computing services and cause an emergency rather like a building catching fire. Restive office workers gather idely around water coolers and printers unable to work. Managers gather brandishing pitchforks and torches looking for the guy who runs the network. There are clearly one or two of these harried individuals hereabouts who have been on the pointed end of the blame culture that pervades many organisations.
Only certain kinds of corporate network are centrally administered and tightly secured by uniform rules to stop this from happening. Consequently VPNs are also used within many corporate networks because it is regarded as untrusted. Not as bad as the Wild West that prevails on the public Internet, but still not secure enough to ensure business confidentiality. So most network equipment suppliers tout VPN based security solutions for high paying business customers.
Point to point VPN technology is, however, not exclusively the preserve of big business. There is a lot that can be done with Open Source hardware such as the Raspberry Pi or something similar combined with free software, if your have the inclination and the patience. It is, however, a bit involved for non-technical people. I hope that little ‘plug and play’ VPN gadgets to connect to a laptop to give access to a well appointed home network (such as those solutions sold at premium by Cisco, et al) will eventually become available to those with more modest budgets.
The reason why we have VPN technologies is because the IP protocol on which the public Internet is based was never designed to have any form of security built it because it was originally for academics to share their work. Consequently security features have to be retro-fitted using additional hardware and software that comes with a price tag and subscription.
A VPN proxy service is a good first step for a general Internet user to avoid the nosy parkers.