Buying a VPN? Here’s what you need to know

VPNs are an effective cyber security tool for businesses and remote workers, but there are many things to consider before purchasing and implementing one. We explore some of these

This article can also be found in the Premium Editorial Download: Computer Weekly: Where to start with Windows 11

Virtual private networks (VPNs) have become an important tool in the cyber defences of businesses across all industries. They encrypt sensitive corporate data, provide secure remote access for home workers, strengthen public Wi-Fi security, enable anonymous web browsing, circumvent geo-blocks, and offer many other benefits.

Clearly, there are many different reasons why a business might want to use a VPN. But if this is new territory for an organisation, choosing and implementing the right service can be challenging. However, asking a few simple questions can help businesses buy the best available VPN.

VPNs are necessary applications for remote workers and should not be overlooked by businesses with a home workforce, says ESET security specialist Jake Moore. “Security and privacy are essential and must be implemented on all devices remoting into the organisation network,” he tells Computer Weekly.

When looking for a VPN, businesses will come across a wide variety of providers on the market. Moore urges firms to read reviews before choosing a VPN because there are lots of unknown suppliers out there.

“There are many new names hitting the VPN market, many of which will be unknown, so it is vital to check the reviews available for honest opinions of their products,” he says. “However, it is advisable to remain critical of independent reviews as there are often paid-for reviews for VPN products favouring them. Speed and lack of reliability are areas which can become sticking points for most and could put people off.”

As well as reading reviews, Moore recommends that businesses also take time to understand the risks of using VPN services. “Although minimal, some VPNs can sometimes have third-party trackers embedded in their software or even become infected with malware, so extra research into each provider is key to finding the correct solution,” he says.

Sean Wright, application security lead at Immersive Labs, agrees that VPNs are vital tools for businesses in the digital age and that firms must do ample research before selecting a provider.

“It is imperative that you spend your time and do your homework to find and choose a legitimate service provider”
Sean Wright, Immersive Labs

“By their very nature, VPNs are critical and sensitive infrastructure,” he says. “All your traffic will be flowing through it, should you use one. So it is imperative that you spend your time and do your homework to find and choose a legitimate service provider.

“While VPNs can provide great security, especially when using a public network such as public Wi-Fi, if you choose a poor service, or even a questionable service, you may even put yourself at greater risk. While encrypted channels such as HTTPS can help reduce this risk somewhat, many requests are still being made over plaintext means, such as plain DNS.”

Like Moore, Wright stresses the importance of considering the privacy implications of VPN usage. “Since all traffic is being routed through the service provider, they are likely to be able to see at least some, if not most, of the traffic that you use,” he says. “My personal recommendation is also to ensure that you pay for a VPN service. Free ones may rely on revenue generated through things such as advertising – and thus tracking – or other means.”

Wright also urges businesses to read customer testimonials of VPN providers, particularly those posted on smartphone app stores. These will detail the pros and cons of different VPN systems, helping you choose the right service for your business.

He points out that businesses can even create their own VPN service, but this could pose risks if a firm has never developed one before. Wright says tools such as PiVPN make it easier to create and set up a VPN service, although prior knowledge is still important. He adds: “You still need to know what you are doing, such as correctly configuring your network to allow VPN connections, while not allowing other unintended connections.”

A range of factors to consider

There is a range of important factors to take into account when searching for an enterprise-grade VPN, according to Malwarebytes senior security researcher Jean-Phillipe Taggart. First, organisations should ensure that their chosen VPN service offers a strict no-logging policy because this will help to improve privacy overall.

“In the best-case scenario, there should be as little logging as possible,” he says. “Less logging means more privacy. If there are no logs, there’s nothing to turn over. One of the main points of using a VPN is greater privacy for the end-user, so this should be one of the first things that users evaluate.

“Many VPN providers will advertise how there isn’t any logging on their platform, but that hasn’t been the case when the rubber meets the road. It’s worth doing some internet sleuthing to see what is being said about the prospective VPN providers when it comes to actual versus advertised logging practices.”

Businesses looking to implement a VPN should also find out where the provider is headquartered geographically. Taggart says the location of a VPN company will affect which laws can be applied to it.

“In a scenario where you’re using a VPN to circumvent nation-based censorship, for example, if your VPN provider is based in the country where the censorship originates, then nothing prevents the government from compelling the VPN provider from turning over logs, enabling logging or modifying their system to track users,” he says.

“It’s worth doing some internet sleuthing to see what is being said about the prospective VPN providers”
Jean-Phillipe Taggart, Malwarebytes

Before buying a VPN for your business, it is also important to conduct online research about a prospective system because this will give a glimpse into its company history, says Taggart. “Have there been incidents in the past? Were they forthcoming about them? How a company handles a crisis speaks volumes. Past incidents aren’t a deal breaker per se, but how they handled them can be.”

Another question to ask is how many exit nodes a VPN offers, says Taggart. “Nodes are VPN servers that will become the location you are using, so you want to select a provider that has nodes in the locations you want to connect from. However, you should consider that the number of nodes will impact speed and overall performance. Another advantage of using a VPN is that you get to experience the internet as it is in the country you select as an exit node.”

It is also important to consider whether specific protocols are disallowed, says Taggart. “This can imply traffic inspection, which is undesirable. It also suggests that the infrastructure can’t handle peer-to-peer [P2P] traffic. Disallowing P2P traffic could mean that the VPN network might not function well under high loads.”

VPNs offer many different features, but one to look out for in particular is a kill switch. Taggart says: “Some VPNs have an application to ease the setup and use of the VPN. Users need to understand when they are and are not protected under all circumstances. The worst-case scenario is that the application has an issue, and the user surfs unprotected without being notified. The kill switch just stops all internet and prevents that – a very useful feature, particularly for less technically savvy users.”

Finally, Taggart recommends that businesses ask VPN companies which payment methods and cryptocurrencies they accept. “Maybe your threat model requires greater anonymity?” he says. “Some VPN providers accept payment in the form of cryptocurrency, making the service payment more anonymous. Keep in mind that using crypto does not guarantee a completely anonymous transaction. It just removes easily coerced credit card companies from turning over your purchasing history.”

Other important considerations

Understanding the different features offered by VPN providers will also enable businesses to purchase and implement a service that suits all their needs. Lisa Ventura, CEO and founder of the UK Cyber Security Association, says: “Like anything else, organisations should weigh up the features each one has and the ones they are most likely to use against the cost of the solution. VPNs often have many differentiating features, so organisations need to be aware of what to look for and consider.

“The main things organisations should look for include the number of servers between the user and the provider’s server, the location of the servers, the number of connected devices the solution allows, the support available for additional devices, privacy and logging considerations and, of course, pricing.”

Ventura also urges businesses to check whether VPN companies impose caps on the amount of data they can transmit and receive. “Some VPNs offer a free tier and a paid tier, and those that offer a free tier will often only allow a certain amount of data usage each month,” she says.

The most important thing when shopping for a VPN is to remember that it is not like going to an automotive store and choosing a roof rack for your car, says Sophos principal research scientist Paul Ducklin. “Yet that’s how lots of companies see a VPN – as an ‘add-on’ component that’s fine as long as it fits well enough,” he says.

“Make sure you go for a VPN that is an equal citizen in your overall cyber security solution and that can automatically and actively work with it, including adapting its behaviour based on what the rest of your cyber security system knows is going on.”

“Make sure you go for a VPN that is an equal citizen in your overall cyber security solution”
Paul Ducklin, Sophos

Dan Conrad, field strategist at One Identity, says the effectiveness of a VPN depends on three key questions that should be considered before implementing one. “Firstly, will the implementation adhere to zero-trust best practices?” he says. “The best way to ensure zero-trust principles is to validate that the VPN does not terminate in a datacentre, as this places too much trust at the origin.”

The second question is whether authentication is strong enough, says Conrad. “Strong authentication should also be applied alongside whichever VPN is selected to fortify sessions.”

Thirdly, Conrad says businesses need to ask themselves whether they can monitor these sessions. He points out that strong authentication will not warn businesses if credentials are being misused or they are experiencing insider threats. “This is where monitoring behaviour will help businesses to detect suspicious actions and proactively respond to minimise the damage,” he adds.

With online threats continuing to increase and the vast majority of people working remotely during the coronavirus pandemic, the use of VPNs can help businesses improve cyber security and protect remote workers. But what is clear is that they should not rush into choosing and setting up a VPN service. Instead, firms need to do plenty of research and select a VPN based on their own unique needs.

Read more on Network security management

Data Center
Data Management