You probably don’t even think about mobile VPN, privacy, and security when you’re using your smartphone in public. You can bet it isn’t a WPA2 PSK-secured connection. Hey, all you care about is doing a quick funds transfer with your bank, and it’s back to schmoozing with your client.
This is where you figure out the restaurant has not done you any favors. In a study by the Ponemon Institute, an overwhelming majority (70%) of IT security experts confirmed that mobile devices were the source of data breaches. Competition-sensitive and client PII data are at risk as is your own personal banking data and identity information.
What Does Mobile VPN Do for Me?
A mobile VPN automatically encrypts your data before transmitting it to the unsecured public server. The latter then delivers the data to whatever endpoint you are accessing where it is unencrypted for use at the destination system. VPN creates a secure tunnel through the mass of other unsecured traffic from that public server. It can be your bank, your company server, or any other device you’re trying to communicate with.
Using VPN encryption raises your visibility with hackers and cybercriminals as a potential source of valuable business or personal intelligence data just because you encrypt your communications. There are some serious security risks to mitigate for VPN through the Cloud infrastructure. This is true for whatever security protocol your VPN provider uses, IPsec, transport layer (SSL/TLS), DTLS, MPPE, or SSTP. There are more.
Each security protocol has some unique issues that will determine how you mitigate the risks, so let’s focus on SSL (Secure Sockets Layers). When researching VPNs and which one to use, knowing how your data is protected will put your mind at ease. You can also use this knowledge to dig deeper into SSL.
How Does SSL Encryption Work?
This encryption mode uses both a public-key (asymmetric PKI) and symmetric key encryption combination to establish an end-to-end connection between two devices. Typically, in the public environment, those two devices are your smartphone or tablet and corporate mail server for example. If you were doing some online banking, then you would be connecting to the bank’s financial server.
If you like visual references, you should review the OSI Reference Model for the Internet. In the hierarchy of things, SSL runs between the TCP/IP protocol for data packet creation and the HTTP and IMAP protocols for Internet addressing. That makes sense since you need to encrypt before you send the data. You might encounter some confusion by someone talking about transport layer security (TLS) and actually referring to it as SSL. TLS has, in practice, superseded SSL but the old terminology was difficult to kill. Thus, the SSL/TPS reference so we can keep our heads straight. VPN most commonly uses SSL/TLS encryption.
The encryption protocol works on a handshake and authentication procedure using two sub-protocols. The first protocol is the record protocol that “gets the attention” of the server being reached out to which asks for the server’s “digital certificate” which establishes identity. This authentication process uses the public encryption key to confirm you are talking to the machine you want to. The handshake also allows you to authenticate your device identity to the endpoint you’ve reached.
Once authenticated, the cipher settings can be used to use the symmetric key (same for both client and server). It shares information for the remainder of the time the two devices are communicating. This is where you get the “secure” connection. No one except for you and the authenticated server can read the data being sent. Most of this is invisible to you, but one of the things you can see when a successful authentication is a change to the URL from an HTTP designation to HTTPS with a padlock icon.
How do IT security teams check the integrity of VPN security?
This is mostly done through penetration testing or in other words trying to find a way to defeat the encryption algorithm. Never forget that encryption is nothing more than a mathematical way to scramble your data so no one but you and your intended endpoint can read it. There are many ways to do penetration testing but the basics include three steps:
- Data Gathering – you need to know two things. What kind of VPN method is being used and on what port it is listening. The port number changes depending on the VPN security protocol we talked about earlier in the article.
- Identification – now, you’ll need to determine the exact vendor and version of the VPN daemon security protocol. Yes, there are tools to scan for and identify these things. There is a list of vulnerabilities kept by industry sources that key on vendor and VPN version.
- Check the Authentication process – Check that process including digital certificates and passwords et.al. Then, use penetration methods to try to fool the device to gain access without using the proper handshake and authentication procedure.
There are two challenges to making sure your VPN connections are as secure as possible. The first one is to make everyone aware that VPN does not make things automatically secure. The system must be managed and tested periodically to validate its integrity. The second issue falls to the various companies and organizations that use VPNs as a security measure. The endpoint email servers and mobile app servers must be secured for all users.
Mobile users will do just about anything to get work done including inadvertently defeating your VPN integrity by setting up shadow IT operations in the Cloud. They think they are being efficient but in reality, not so much. They also must be made aware that turning off firewalls and anti-virus programs on their device invites malware to be installed that can also damage your VPN security posture.
Then, if you are robust in your penetration testing, your VPN security will remain stable in protecting your data from being hacked.