Protecting your IT assets from threats is an essential part of business and personal digital activities. VPNs and firewalls are two commonly used security tools to help reduce risk while maintaining usability. When used in concert, IT communications are filtered and encrypted.
However, do you need both? Would one or the other work just fine? We’re going to answer those questions below.
Keep reading to learn:
- What these tools are
- When you want to use them
- Suggestions for deployment
The State of Internet Security
Our daily personal activities and work tasks often mandate the use of the Internet. Whether from a smartphone or a personal computer, many of us are online for most of the day.
However, the online world is not a safe place to play or do business without being adequately prepared. Gone are the days of being anonymous by default and an unlikely target for hackers and attackers. Today, every action online can put you at risk of interception, spoofing, impersonation, hijacking, attacker-in-the-middle, account takeover, malicious code infection, and much more.
Fortunately, there are options for large organizations, small office/home office (SOHO) environments, and individuals that can reduce online risks considerably. Those options are to consider deploying a VPN and/or a firewall.
What Is a VPN?
A virtual private network (VPN) is a secure remote network or Internet connection that encrypts your communications between your local device and a remote trusted device or service.
A VPN is a digital or electronic re-creation of a physical world concept — specifically, the idea of a dedicated isolated physical network cable that only you can use and access.
VPNs create a virtual version of a physical cable by wrapping up, encapsulating, or containing standard insecure network communications in a tunneling protocol that encrypts the transported content. Communications protected by a VPN still traverse the same shared network pathways as regular traffic, but because the payload is encrypted, the result is the equivalent of a dedicated isolated physical cable.
What Are the Benefits of a VPN?
Benefits of a VPN include:
- Improved communication security through encryption
- Secure remote access and/or remote control
- Anonymity services, in some instances
- Masked client or origin IP address
- Blocked attacks from local (physical and logical) attackers
There are other potential benefits as well. For example, some organizations experience network throughput improvement with the use of VPNs. This may be due to the streamlining of communications, the elimination of ancillary protocols, and resource-wasting communications. Some organizations also may experience cost savings, mainly from reducing recovery and repair costs due to compromises caused by plain-text communications.
The Different Types of VPNs
There are three main types of VPNs:
Transport mode host-to-host
A transport mode host-to-host VPN creates a secure connection between two individual systems. In such a VPN, only the payload is encrypted. However, the headers of the protocol packets, which guide the communication across the intermediary network, remain in their original plain-text form.
Thus, the contents of a transmission are protected, but the identity of those communicating is exposed. This type of VPN is commonly used inside private network environments where there is a general level of trust in the network, but when additional protection is needed for specific host-to-host communications, such as database replication or periodic backups.
Tunnel mode site-to-site
A tunnel-mode site-to-site VPN creates a secure connection between two different networks or physical locations. In such a VPN, both the payload and the original packet headers are encrypted. An additional tunnel header is added to the encrypted content to direct the communication from one endpoint of the VPN to the other. Communications between two systems are only encrypted while in the tunnel itself.
Thus, if a client in Network A sends data to a server in Network B, the initial communication would cross Network A in plain text; then become encrypted as it entered the VPN on the border of Network A; remain encrypted across the Internet until it reached the border of Network B; and then the communication would be decrypted and sent across Network B to the server in plain text. This type of VPN is commonly used to connect remote networks.
A tunnel-mode host-to-site
VPN creates a secure connection between a single computer and a remote network. In such a VPN, both the payload and the original packet headers are encrypted. An additional tunnel header is added to the encrypted content to direct the communication from one endpoint of the VPN to the other.
Communications between two systems are only encrypted while in the tunnel itself, which starts on the single computer and ends on the boundary of the remote network. This type of VPN is commonly called a remote access VPN and is used for telecommuting or general remote activities.
When Should You Use a VPN?
Whenever communications may be exposed to interception, eavesdropping, spoofing, hijacking, or adversary-in-the-middle attacks — any time traffic crosses the Internet or an insecure and unfamiliar network connection — a VPN would provide security through communication encryption.
Organizations should implement VPNs for securing communications between locations, such as branch offices, and whenever a worker needs to operate from a remote location. Individuals should implement VPNs for all of their transactions with any Internet service or resource, whether using a trusted Internet link at home, work, or elsewhere.
It is most important to use a VPN when accessing a public wireless network because the connections aren’t typical secure — meaning your internet activity is more vulnerable to attackers.
When Is a VPN Not the Right Solution?
A client-to-Internet VPN is unlikely something an organization should support for its employees from company network client systems. Such client-based remote-access VPNs are often used to hide or mask user activities from company filtering and monitoring.
If client-based VPN connections are allowed to be established with external Internet providers, then the content of those communications would be encrypted. This enables users to bypass filters, access blocked content, and avoid being monitored. Thus, organizations should provide network-level VPNs for use but block the use of personal client-level VPNs.
However, personal VPNs are precisely what an individual needs when using a public network connection, whether wired or wireless, such as those offered by hotels, restaurants, coffee shops, and conference centers. In these situations, bypassing local attacks or over-burdensome operator-monitoring is desired.
There are very few circumstances where a VPN will not provide improved security and can cause some inconveniences. But for the most part, use a VPN in most situations, whether for organizational or personal-level use, except where such use is strictly prohibited by a company's security policy to prevent bypassing monitoring and security controls.
What Is a Firewall?
A firewall is a security product that filters communications. Filtering may be done by blocking or opening ports, blocking or allowing by IP address, or controlling communications using content filtering.
The goal of a firewall is to support authorized and legitimate communications while preventing unauthorized or malicious communications. Firewalls can also provide additional services or features, including proxying, NATing (i.e., translating internal IP addresses into public external IP addresses), malware filtering, spam filtering, and more.
What Are The Benefits Of A Firewall?
The benefits of a firewall include:
- Filtering communications
- Blocking unauthorized or malicious transmissions
- Isolating a private network from a public or untrusted network
- Reducing hacking events
- Blocking spoofed traffic
- Technical enforcement of network security policy
Depending upon the features provided in a specific firewall, the list of benefits could be significantly expanded.
The Different Types of Firewalls
Many kinds of firewalls exist. Most modern or current firewalls are a mixture of types rather than being of a single type. The most common kinds of firewalls are:
- A packet-filtering firewall is a relatively basic type of firewall that grants or denies communication solely on an IP address and/or port number. Any time a firewall supports communications for all visitors, such as when offering an open port to access a website, a packet filtering rule is in use.
- A circuit-level firewall makes an allow/deny decision-based on several potential parameters, including IP address, port, user account, and time. This type of firewall determines whether to allow a connection to exist or not. If allowed, no future filtering is applied to the connection.
- An application-level firewall focuses on a single application or protocol. Such a firewall can perform content inspection to allow or deny communications based on the content. If disallowed content is discovered, the packets are dropped, and the connection might be terminated.
- A stateful-inspection firewall is designed around filtering based on valid communications. It is aware of the proper content and context of communications. If a valid request for content is received, it is allowed through; if an invalid request or a malformed request is received, it is blocked.
- A next-generation firewall (NGFW) is an evolution of the stateful-inspection firewall, which includes many other security services in a single solution. Sometimes referred to as UTM (unified threat management) devices or even MFD (multi-function devices), an NGFW has a firewall as its core but may also offer IDS, IPS, anti-malware, anti-spam, deep packet inspection, DNS filtering, bandwidth throttling, content filtering, keyword tracking, and more.
In addition to these types of firewalls, there are also hardware and software firewalls. A hardware firewall is a dedicated computer configured to provide firewall services exclusively.
A software firewall is an application installed onto an existing OS that adds firewall services to that system's existing programs and services. Finally, there are also virtual firewalls that are used in virtualization or cloud infrastructures.
When Should You Use a Firewall?
A firewall should be used whenever there is a change in trust level between one network segment and another. A firewall should also be used between a network connection and a local system (whether standalone, client, or server). There is always a risk of invalid communications reaching your system across a network link; thus, blocking and filtering traffic reduces the risk of being compromised by such communications.
Is a UTM Available That Can Provide Both VPN and Firewall Functions?
A unified threat management (UTM) solution can combine multiple-network communications, management services, and security features into a single product. UTMs may be marketed as firewalls with extra features that can provide both firewall and VPN services. Such a UTM may be a good choice for smaller environments with minimal IT staff and budget.
However, larger organizations should consider implementing separate firewall and VPN solutions to obtain best-of-breed products in each category rather than settling for whatever service or feature happens to be present on a UTM. When considering deploying separate firewall and VPN products, evaluate the best implementation architecture for your needs.
Weighing Your Options: Hardware or Software?
Hardware: High Performance, Often High Cost
A hardware solution for a firewall or VPN will provide dedicated hardware resources to that specific function and service. Such appliance devices are designed to offer high-performance operations to their particular tasks. However, hardware devices can be pretty expensive.
Hardware devices can often be improved through firmware updates. At some point, the next generation of a product will provide features that the old hardware cannot support. In addition, dedicated hardware cannot be repurposed for other uses if the product becomes obsolete or gets replaced in the future.
Software: Low Cost, Stability and Reliability Concerns
A software solution for a firewall or VPN will depend upon the available system resources on the host system. Other applications and services will be competing for resources. If there is significant contention for resources, the security services may not provide reliable or consistent operation.
A software solution can often be a less expensive alternative to a hardware solution, but reliability and stability may be sacrificed for those savings. As a product is improved over time, updates can bring new features and capabilities to bear. However, significant updates might require the purchase of a more recent version or a license extension.
General Deployment Recommendations and Security-Policy Crafting
When deploying a firewall and/or VPN, planning out the deployment and the security policy is crucial before starting the actual implementation.
When deploying a firewall, a good starting point is to inventory the communications required for business tasks or personal activities. This would include a list of protocols, ports, and applications.
Then, review the documentation of the firewall. This should help in drafting a step-by-step procedure on how to use the specific firewalls management interfaces to implement the filtering and security service settings to support your communications.
When deploying a VPN, a good starting point is to craft a list of the circumstances where VPN services are required, recommended, or may interfere. This should help determine which of the three types of VPN are needed to provide secure communications. While crafting the security policy for the VPN, be sure to define requirements for using a VPN and configuration and settings specifics, including an acceptable use policy (AUP).
Once a firewall or VPN has been implemented, thoroughly test that all intended configurations are operational. Confirm through testing that all authorized communications are possible and forms of unauthorized communications or connections are blocked. On a regular schedule, review the security policy and configuration settings of your firewall and VPN. Make adjustments as technology changes, as your business tasks evolve, and as new attacks are discovered.
Now that you know more about VPNs and firewalls, you should recognize that this is just a starting point for obtaining security knowledge. There are many other vital security concerns that you need to be aware of. Because only with knowledge can you make a change for the better. Everyone has security responsibilities, both for themselves and for their employer. That responsibility starts with knowing more and seeking out the means to gain more knowledge.
One source of additional knowledge is the educational materials made available from Global Knowledge. Part of the popular Cybersecurity Foundations course is a hands-on lab that teaches how to use port-scan tool NMAP to secure your network.
Gain access to the hands-on lab to continue learning how to secure your data: