CITES | University of Illinois

VPN Security

For IT Pros:
This page contains advanced information about VPN security benefits.

Note: Advanced content

This page compares the potential security vulnerabilities of a regular network connection with the potential security vulnerabilities of a VPN connection. It's intended for advanced users and for system administrators.

You don't need to know any of the information on this page in order to successfully connect to the VPN server; it's here for those who want a look "under the hood," so to speak.

In a nutshell

While wireless users will see a vast increase in their security, wired users' greatest benefit is the ability to claim a UIUC IP address from a third-party ISP. The VPN's primary purpose is to raise the security experienced by wireless users to the level that wired users have natively. This page explains what the VPN does and does not do for your system and its security.

A VPN connection protects your information between your applications and the VPN server itself. It does not provide complete end-to-end security. Wireless users at the Urbana campus are encouraged to use the VPN system because unencrypted wireless communication can be intercepted in the air far more easily than wires can be tapped and interpreted. VPN is recommended for remote-access users who need an on-campus IP address to authenticate themselves. But antivirus software, system patches, additional layers of encryption to finish the link between user applications and server applications, and vigilance are still required for system security. In addition, firewalls and other security measures are still recommended.

General networking security overview

In the graphic below, the starbursts represent points of potential security failure in a networked system.

Potential security points of failure in a networked system

Point 1: The user's own system. There are several security points to consider on your own system, including:

  • Virus protection
  • File sharing and networking settings
  • Your operating system's native level of security and security patches
  • Your applications' native levels of security and security patches
  • The amount of time the computer is actively connected to the network

For example, computers using dialup connections or other intermittent connections are less likely to be found by port-scanning intruders than computers that are networked whenever they're turned on, such as cable modem or Ethernet connections. However, dialup users are no less prone to virus infection or other file-access-related security risks, and dialup users may be more vulnerable to some risks because of the difficulty of keeping current with large operating system patches over a slow network connection.

Point 2: The machines between the user's system and the target network. Even if you use an ISP whose integrity you trust, there are few guarantees that your ISP routes you only through machines that the ISP has personally inspected and verified. Anyone can run a DNS server, and anyone can intercept and read unencrypted network traffic that goes through their systems.

Point 3: The target network itself. The network you wish to access may or may not have been completely secured from outside or inside; other people sharing that network may or may not be completely trustworthy. The larger the network, the less likely it is to be sealed "airtight."

Point 4: The server on the target network. As with the user's own system, there are several points of potential security failure on a server, such as the operating system, the applications, and any component of the system. New viruses, intrusions, compromised usernames and passwords, and other security risks keep server administrators on their toes.

The Virtual Private Networking model

In the graphic below, the areas in blue indicate what a VPN system will protect users against. Areas not marked in blue are not protected by the VPN.

VPN security benefits and limitations

Point 1: The user's system. A VPN client aims to secure a path of communication from the client machine to the VPN server for the applications that need to communicate across that path. A VPN client does not replace antivirus software, operating system and application security patches, or good file sharing and local-area networking security practices. A virus that is downloaded in an encrypted packet will still infect your system when your VPN client unencrypts it for you and your applications to read.

Point 2: The machines between the user's system and the target network. This is the area where VPN security benefits are most evident. All communications between the client machine and the VPN server are encrypted, then "wrapped" with enough networking information for the intervening machines to pass the network data packets to their destination. The only part of the data that intervening machines can read is the network source and destination. Machines between the VPN server and the client cannot read the contents of the data packet.

Point 3: The target network itself. The data is encrypted until it reaches the VPN server. The VPN server then unencrypts the data it was given by the client and sends it on to its original target. If its original target expected encrypted data (e.g., if the user was sending SSL-encrypted data inside the VPN packet encryption to an https:// web page), that data will still be encrypted once it leaves the VPN server. However, if the original target expected unencrypted data (e.g., if the user was sending regular data inside the VPN packet encryption to an http:// web page), that data will not be encrypted once it leaves the VPN server. The VPN server's protection stops at the point where it receives the data and sends it along. After that point, security is the user's and the target server's responsibility. For example, you should not send password or credit card information to a web page that is not SSL-encrypted (e.g., does not begin with https://), even if you're using a VPN connection.

Point 4: The server on the target network. The information you send to the application server you want to reach has lost its VPN level of protection before the data arrives at the application server, if the VPN server is not the same machine as the application server. Therefore, if you want complete end-to-end protection, make sure that the applications you use permit that level of end-to-end security.

For web pages, end-to-end security means using https:// (SSL-encrypted) locations when sensitive information is being distributed. For email clients, it means using a Secure POP, Secure IMAP, and/or SSL protected server such as Google Apps @ Illinois and Microsoft Exchange rather than an email server that doesn't offer security systems to protect your username and password.

More information

For additional information about protecting your computer, your passwords, and your identity, see the CITES Security Home Page.

Last updated Wednesday, June 12, 2013, 10:09 am