Two-Thirds of Tech Workers Now Use a VPN, Survey Finds

An anonymous reader shares a report: According to a survey, 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both. While much of that usage will be because it's installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes. The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices.

One VPN?

[Major_Disorder]

I have three different VPNs for work.

Re: One VPN?

And I have used SSH for years already.

Re:One VPN?

At my place of work it's VPNs all the way down.

Isn't everyone?

I have a VPN autolaunch on my laptop when I sart-up because I travel about 50% of my time and I am frequently on some random wifi connection. I was recently taken aside by an IT person who asked me very suspiciously why I was running a VPN. My response was "Almost everyone here works remotely at some point during the week. Isn't everyone running a VPN?" He grumbled something and walked off.

Re:Isn't everyone?

[green1]

Your answer should have been, "The very fact that you know I'm on a VPN proves why I need it". Had he not been trying to spy on your data he would never have known.

Re:Isn't everyone?

Taken aside? What right did he have to do that? How about answering "That's my business, not yours - now f*** off!"

Re:Isn't everyone?

[ctilsie242]

Realistically, who would not be using a VPN with Wi-Fi links? So many places abuse it, from the restaurant chain that says that they can log every packet and sell the info as they see fit to the place that tries to MITM every connection with an oddball key... using a VPN is just like using FDE... a necessity.

Re:Isn't everyone?

[networkBoy]

I would then come back with:
You're on company equipment and on a company network. Of course it's monitored. The fact that your data is not inspectable is what raised the flag on the automated system.

Re: Isn't everyone?

[VikingNation]

It is the companies business what you are doing on their network. Companies have a lot to lose when intellectual property is copied off the network. It is standard practice for companies to monitor activity of users. Don't like the policy find somewhere else to work.

Re:Isn't everyone?

[green1]

Depends what you're doing over that link. If the sites you go to are HTTPS, and the computer is still controlled by you, then they are getting somewhat limited data on your browsing, knowing only what sites you visit, not what you did once you got there. Conversely, using the VPN adds significant latency to your connection, and possibly some cost (depending on your VPN provider's plan, or if you provide your own, depending on your data usage plan for the connection it runs over)

For most things I do, the VPN simply isn't worth it. Now there are some exceptions, and I do use a VPN between my server, my computer, and my car's computer, but I don't bother with one to connect to the public internet as I'm just not all that worried about what people might sniff to be worth the latency hit and extra data usage.

Re:Isn't everyone?

[green1]

Additionally, how do you really know that the pipe out of the VPN is any more secure than the pipe you're on to start with?

I'm 99% certain that all traffic out of my VPN can be intercepted by a foreign government, because my VPN is located in a foreign country that is well known for having no privacy rights, and an authoritarian government that monitors everything. Whereas most of the time my devices are connecting to networks in a country that has actual privacy laws. (I'm still 90% sure someone is monitoring it, but I sometimes think you just can't win)

Re:Isn't everyone?

I am in a position where I see traffic from some random people while troubleshooting. Without actively MITM attacking them, there isn't a whole lot to see. You instantly see which kind of device they use, if it's an Apple, etc., and what apps they are using that produce internet traffic, simply from DNS lookups. But other than that, most everything is transport encrypted nowadays. There are a few odd people who have their mail clients misconfigured to authenticate in the clear, but email providers crack down on that and it has become very rare. Not quite as rare are users whose email clients are configured to allow falling back to unencrypted connections (which would allow a MITM to spy on them, but I don't do that.) There is surprisingly little web traffic and what is there is rapidly becoming encrypted.

Re:Isn't everyone?

Have you considered switching to a VPN located outside the United States?

Re:Isn't everyone?

that depends entirely whether he was using the VPN on works network or not. Mind you if he was then the network is configured poorly anyway as the last thing you want is people to be establishing secure tunnels in an outbound manner from your corporate network.

Re:Isn't everyone?

[ctilsie242]

I can control what VPN I use. With an ISP, I really can't, where at best, I'd have cable or the telco. If one VPN has a bad privacy policy, I can switch fairly easily. Offshore? Easily done.

Of course, the VPN owner spilling the beans about what I'm doing is one thing... but if that is done and it is made public, the customer base of the VPN will disappear overnight.

Re:Isn't everyone?

Be not so quick to meddle in the affairs of IT, for we control the content of the access logs, and we might just find that you have been up to some very, very naughty stuff.

Re:Isn't everyone?

Question is, why isn't your employer providing their own VPN endpoint on the corp network? Would allow you to work from anywhere just as if you were in the office, and lets them still keep whatever monitoring policies are in place for the corp network and PCs.

As for the corporate monitoring of traffic, well if you are on the corp network, or corp hardware. im pretty sure there is something you've signed that you agree to it, if not a persistent warning message on the windows login screen informing that all activities on the corp network and hardware can be monitored at any time.

Apple broke VPN in El Capitan.... Grrrr

[Proudrooster]

I used to use VPN on my Mac to connect to work until Apple broke PPTP in Sierra. I'm not bitter..... grrrr

As for pubilc wifi, I use OpenVPN back to my home router.

As for sending secrets to wikileaks, I use dual VPN (IP Vanish) and the tails OS through the TOR proxy.

Re:Apple broke VPN in El Capitan.... Grrrr

[CaptainDork]

I just use my BIL's computer.

He don't know that.

Re:Apple broke VPN in El Capitan.... Grrrr

[sconeu]

Your IT staff needs to update. PPTP is old and broken.

Re:Apple broke VPN in El Capitan.... Grrrr

[Mascot]

They didn't break it, they removed it. I can't tell if you're aware of that and just being facetious by saying "broke". Choice of words matter.

But yeah, it was annoying. On the other hand it took all of half an hour to figure out how to enable L2TP/IPSec at work, so not exactly the end of the world. The rigidity of IT in larger corporations is probably more of a stumbling block than the technical side of it.

Re:Apple broke VPN in El Capitan.... Grrrr

[infolation]

Apple didn't break PPTP. The protocol was insecure. Since it's a Microsoft protocol you could argue Microsoft broke it when they designed MS-CHAPv1 and, after Schneier and Mudge published the weakness they broke it again when they designed MS-CHAPv2. Schneier and Mudge proved the second version was only as secure as the password which means it's subject to dictionary attacks. Chapcrack plus CloudCracker = password brute-forced in 24 hours.

Re:Apple broke VPN in El Capitan.... Grrrr

Schneier and Mudge proved the second version was only as secure as the password

Uh, why would anyone expect it to be more secure than that?

Re:Apple broke VPN in El Capitan.... Grrrr

Looking for nudes of your sister?

Re: Apple broke VPN in El Capitan.... Grrrr

Lol.

If you're sending any secrets to wikileaks (you're not), then the NSA and other agencies around the planet know exactly who you are and what you're sending.

Re: Apple broke VPN in El Capitan.... Grrrr

[Monster_user]

2-Factor authentication which mitigates the password vulnerability? Then there is Apple encrypting my phone, and otherwise preventing me from accessing my data in the event of an OS failure. Also complicates my archival process. My decices turning into ransomware or a impenetrable black box due to a failure of some kind is my greatest fear. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Re:Apple broke VPN in El Capitan.... Grrrr

> Your IT staff needs to update. PPTP is old and broken.

Unfortunately, it's also stable. The morass of proprietary VPN tools, especially with bloody expensive firewalls like Fortigate that "provide" a spyware enabled VPN client and can't even get IPsec working correctly are amazing. I never thought I'd hate a firewall as much as I hated the "flexibility" of Cisco's and that always mutating configuration language, but then I met Fortigate.

Re:Apple broke VPN in El Capitan.... Grrrr

[pnutjam]

everybody gets a reverse ssh to the home server, right?

Re:Apple broke VPN in El Capitan.... Grrrr

[pnutjam]

Stand up an openvpn server, it's easy with linux or pfSense. You can do virtual or physical. Dump that proprietary shit.

VPN is nice to have...

[__aaclcg7560]

I normally don't work from home but I have VPN access for those rare days when I do have to work from home. Every 90 days I must carry my luggable laptop (Dell Precesion M4800) home, remote into VPN to reset the 90 day clock, and carry my luggable laptop back. Which was what I did this past Labor Day weekend. If I don't, the VPN account gets deleted and the paperwork to get it back again is a PITA. I only work from home two or three times a year.

Re:VPN is nice to have...

Important notice about Christopher Dale Reimer:

I am Nancy Guerrero and I am Director of Special Education for the Santa Clara County Office of Education. We use Chris' (a.k.a creimer) picture in our document because he is the hardest case we have ever had to handle:
http://www.sccoe.org/depts/stu...

Our artists were inspired by the low carb diet that Christopher follows scrupulously for the small lunch box and by the picture linked below for the rest. I am sure that you will notice the similarities such as the bump on the side of his chest and more:
https://www.cdreimer.com/slash...

Please be easy on Christopher although, I am aware that some of our staff handling Chris post joke comments here and obvoiusly, the Santa Clara County Office of Education disapprove that behavior vehemently:
https://school.discoveryeducat...

But it isn't Chris' fault if he is the way he is. We do the best we can do with him and he is partially integrated into society. We try to cure his abnormal need for attention but he is kind of stubborn and won't listen to anybody.

Thank You dear users,
-Nancy Guerrero

Re:VPN is nice to have...

We'll see who gets the last laugh, Nancy Guerrero! /shakes tiny fist

Re:VPN is nice to have...

[CaptainDork]

Said the AC.

Re:VPN is nice to have...

What I am doing isn't against /. TOS. If you are not happy, complain to management. Bitching in the comments is useless.

Re:VPN is nice to have...

Every 90 days I must carry my luggable laptop (Dell Precesion M4800) home

Cannot you just go outside company network, tether that laptop to phone wifi,
connect via vpn to company network, say hello and disconnect.
My favorite trick, use that guest wifi to connect to company network from VirtualPC, that way I have access to company network and to those "personal sites" (thank you Blue Shield) where programmers publish sometimes solutions to my problems.

Re:VPN is nice to have...

Whoa, hey man, what a drag. /shakes other tiny fist

Re:VPN is nice to have...

"Dell Precesion M4800"

That's not very precise, now is it.

Re:VPN is nice to have...

I normally don't work from home

Or at the office either... Jeez, you post more than fifteen normal Slash users combined.

Re:VPN is nice to have...

Every 90 days I must carry my luggable laptop (Dell Precesion M4800) home

Wow, lugging 11 pounds home. That must be some very strenuous physical labor. I bet you ass swipe your boss a ton every time you have to do that, so he can hear your grunting and farting as you work so hard!

remote into VPN to reset the 90 day clock, and carry my luggable laptop back.

Or, if you're not a dummy, you could just share your phone's wifi connection as a portable hotspot, connect to the VPN from right there in your office, and save your poor boss the horror of listening to your bowels churn as you "exert" yourself by carrying an 11 pound device into your home. But yeah, I guess it sounds cooler if you talk about how hard your life is here in the comments.

Of course, bitching about it here in the comments is useless, so you should probably complain to management.

Re:VPN is nice to have...

" That must be some very strenuous physical labor."

Just because I'm not working out your way I must be doing it wrong?

Re:VPN is nice to have...

So you can't just log in on a wifi hotspot while at work rather than winding yourself carrying that oh so heavy laptop?

Except if you're in China

Because the Communist Party said so.

Useless data

This survey is useless. It includes work-issued devices (where the VPN client is installed for corporate privacy) and doesn't specify the end user's purpose for using a VPN.

Re:Useless data

[Proudrooster]

Hey, we have someone that actually read the article here! I am impressed! Must be to honor the first day back to school. :)

Re: pant..pant..pant..

Plz link to ur vps provider and vpn software of choice....?

Asking the wrong question?

Seems to me like the classic metrics analysis mistake of measuring the wrong thing for your desired conclusion. Using a VPN... to do what, and why? To access internal company systems while you're working remotely? To fool content geolocation restrictions? To browse the web when you want privacy? Because your Internet-savvy friend or computer repair-person told you you should?

If we're to draw more meaningful conclusions from a survey like this, we'd need to know more about the reasons behind each responder's choice.

Usage

[bickerdyke]

Not mentioned in the study: 60% use a VPN to bypass a geoblocked hulu.

VPN uses are a-many

Do they mean to say that the VPNs are used for everyday browsing? Or in order to do work that requires connecting to computer via WAN? There are some regulations that require VPN in certain circumstances. For instance HIPPA regulations require VPC connection(s) for use in anything that sends/receives medical records.

At any rate, how is this news for those of us in the field? Kinda looks like FUD.

Re:VPN uses are a-many

[Kernel+Kurtz]

Yes, though it comes down to primarily two basically opposite reasons;

I use a VPN to securely access my work resources from home. With two factor authentication and associated firewall rules that control my access to internal resources. They know who I am, they know what I do when I am connected (and since I am with the corp network team I'm actually one of the watchers as well).

I also use a personal VPN, not to access work resources but for the totally reverse functionality - so that people who may be watching my activity DO NOT know who I am, as well as greatly limiting, though not completely removing, the number of people who can watch in the first place.

Pretty versatile thing those VPNs.

Re:VPN uses are a-many

[pnutjam]

I have a home server running x2go, so I can access everything from it on an encyrpted SSH tunnel. I pass it's outbound traffic through a vpn for privacy. It works great. I've thought about an inbound VPN, but it's just not necessary yet and I have restricted inbound traffic, although AT&T is offering symmetrical 100 and 1000 mbit connections in my neighborhood now.

VPN on all my devices

[tgetzoya]

I use a VPN on all my devices. I don't want Comcast/Verizon/etc making me the product if I'm not getting a cut.

Re:VPN on all my devices

Almost every IT workplace uses a VPN, even internally, because it allows one to limit access to things to that range. Plus, with 2FA, if someone is on a VPN, they at least passed authentication.

I also use personal VPNs. One even tunnels from my internal router to a nearby VPN provider, just because I trust my ISP's router as far as I can drop-kick it.

Torrents? Yep, VPN to somewhere overseas, so some witch hunt has to escalate into an international incident before it affects me.

Re:VPN on all my devices

[cmseagle]

Really? If your ISP gave you $2/month (or whatever the marginal value of one customer's browsing history is) on the condition that all your traffic is inspectable, you'd agree?

Re:VPN on all my devices

Good call. But are you not more their servant if you respect them enogh to give a shit what they know about u.

Re:VPN on all my devices

I only use a VPN to hide my IP address to keep my personal real life location secret and prevent DDOS when I play online video games. There are some real psychopaths in PC games these days who will straight up stalk you because you pwned them or talked some well deserved trash. The VPN is also useful when I'm travelling because there is some serious security issues with public wifi, like viruses being injected into website content and MITM attacks. But, I turn off the VPN when I watch porn at home because I want anyone spying on me to know I'm into lesbian massage porn and weird hentai tentacle sex. I'm proud of that shit.

Re:VPN on all my devices

[PingSpike]

Sure, you'd agree. Then use the VPN the whole time anyway.

Pointless Article

[Luthair]

About a meaningless statistic.

DACA

DACA...is CACA

Depends on use case.

[green1]

I use my work laptop to work from home over the company VPN. It's necessary to use it to do any work, and makes perfect sense.

I have a personal VPN that connects my home computer (on my xDSL connection), my server (VPS in a data centre) and my car's computer (connected by cellular data) so that I can securely transmit information between them, and not have to worry about the fact that 2 of those 3 devices are on dynamic IPs.

But I don't use a VPN for general internet use because it slows down the connection and racks up billable data usage at 2 locations (home and server) instead of just 1 location (home).

Sure, I know people are probably spying on me, but the tradeoff just isn't really worth it.

Re:Depends on use case.

[pnutjam]

I get great speeds with Air VPN, and I used to use PIA and get excellent speeds. Never noticed much slowdown, but I was only on a 10/1 connection.

Last place I worked

[bobstreo]

Had a couple different VPN solutions to access work-related services externally.

There was no other way to access them externally without a VPN.

Personal VPN services are a horse of a different color, as in much more optional, depending on what you're doing on the Internet. I have one for accessing services on my home network from outside the home network for example.

Re: Last place I worked

You mean like any other company with decent IT?

A few VPNs here.

I work for the government of Canada and use a VPN from my own laptop to get into, and do, work. The shitty laptops they give out are garbage. I VM'd mine and use it in VirtualBox with double the memory and cores of the physical box. Can even get into the core data centers with it: zero problems to date.

Re:A few VPNs here.

VPN sounds nice. I work for the government of Australia and it's all Citrix baby!

Re:A few VPNs here.

[pnutjam]

As a recovering Citrix admin, I truly feel your pain.
Hugs.

Two thirds sounds low

[Hadlock]

Our whole company was using VPN back in 2012 and it was considered standard practice at that point. Every company I've dealt with since then has also had VPN.

Re: Two thirds sounds low

[Monster_user]

New options have eliminated the need for VPN, and are more user friendly for those not in I.T.

Personal Devices?

41% installed it on a personal laptop? Can somebody from Slashdot explain this to me? Why oh why would you put ANYTHING work related on a personal device?

The moment I put anything work related on a personal device - my company now effectively has the right to seize that device when/how they please. Maybe not directly via brute force but I can promise you they retain better lawyers than I do and I'd end up having to forfeit the device at the end of the day if asked. i.e. If I choose to quit said company I'd also have to give up my personal device with very low probability of ever seeing it again. OR, by the time I fight the court systems, the device will be obsolete when returned.

No thank you - not worth the hassle.

Re: Personal Devices?

[Monster_user]

Old school cost savings. I work I.T. from home. Since the company I work for provided me with VPN, they don't have to provide me with a company laptop. I also opted to avoid buying a separate device for work purposes until recently, due to a low salary.

VPNs=Privacy, y'all

Not surprised. Privacy awareness has gone from the proverbial old man in a tinfoil hat to mainstream in only a few years. I work in IT and most of my friends either pay for a service like ExpressVPN or use their own.

Untrustworth VPN

If your VPN provider (remote end) is unknown then how is that more trustworthy?
There are cases of VPN providers monitoring and collecting info from their users and providing that to other parties or for nefarious purposes. Providing a VPN service is the new gimmick for that princess in NIgeria that needs help moving millions out of the country.....

Not at Google. Google has deprecated VPNs.

[swillden]

VPNs are part of a badly broken security model: the perimeter defense model. It doesn't work very well at small scales, definitely does not scale for large enterprises and generally creates a lot of misunderstandings that result in bad security decisions.

Google had a segmented perimeter defense model for several years, but has spent the last five years or so getting rid of it. The VPNs aren't entirely gone, but nearly so. You now have to get special permission to run a service that requires VPNs to access.

The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems. The assumption is that any machine connected to the network is inherently trusted to some degree, and has access to some potentially-sensitive resources merely by virtue of being connected.

The problem is that it's cost-prohibitive to build a physically-secure network, and a management nightmare to try to ensure that only trusted systems can be connected to it. 802.11X authentication, which requires every device that connects to perform a cryptographic authentication, can help keep unauthorized devices off the network but it doesn't prevent sniffing or impersonation, and can't prevent compromised devices from exploiting the trust they're given.

That last point is a really telling one, because if you assume that there's some ambient authority available to any device on the network, you inevitably end up granting that ambient authority permission to access resources that only a subset of the connected devices should actually have. Also, for all of the systems that require more authorization than the ambient authority, you still have to have some sort of login system, either per application, or else build out some sort of single sign-on infrastructure.

The solution is a zero-trust network, where no device is assumed to have any authority merely by virtue of being connected, and all connections are end-to-end authenticated and encrypted. Then, a compromised device still can only access the resources that it is supposed to be able to access, because it doesn't have authorization for anything else. It also means there's no need to try to keep unauthorized devices off the network, and no worry about attackers having physical access to the network (other than DoS concerns). This approach does increase the importance of keeping all "legitimate" devices on the network secured and patched, but that really has to be done anyway.

Google's calls its version of this approach BeyondCorp. It's build around a set of proxies which take responsibility for user authentication and identification. User devices connect to the proxy (in the case of web apps it's a literal HTTPS proxy) and strongly authenticate themselves with username, password and two-factor auth token. The proxy then has an already strongly-secure connection to the backend system the user is trying to reach, and it forward's the user's request to the backend with the user's identity (in an HTTP header, for web requests). The backend (or a service it delegates to) can then decide whether the user is authorized to connect and use the service, and if so which parts of the service the user can use, what data the user can see, etc.

The approach divides authentication from authorization, doing the first in the proxy and the latter in the backend that knows what different users are allowed to do. The backend doesn't have to know anything about user authentication, meaning as authentication needs and approaches change, they can all be implemented in the client and proxy, without touching the backends. Meanwhile the proxy doesn't know anything about authorization; it's a backend-agnostic, general-purpose single sign-on service. And, of course, all connections are encrypted and authenticated, all the time.

What all of this means to Google employees is that there is exactly zero difference bet

Re:Not at Google. Google has deprecated VPNs.

[Antique+Geekmeister]

> The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems.

If I may disagree? It's based on the notion that it's possible to reduce your vulnerability, profoundly, by reducing your exposed surface and enabling some tracking of who is accessing the internal network with what privileges. I'm afraid there is not complete security. Locking casual access outside the local network is never absolutely effective, but it can profoundly help in keeping casual access to internal resources _moderately_ proscribed. And it does so in a method that employers, and most developers, can deal with in a comprehensible way.

> [Google's approach ] It's a better approach than VPNs. More secure, more convenient, more flexible.

It is _expensive_, in manpower to maintain the sophisticated systems in and in detailed management of the various resources. Google has internal engineers who delight in solving such technology sensitive and resource demanding issues. For most environments, it's added overhead that returns nothing concrete for ordinay use, and for which VPN is a much simpler and much lower cost system to implement.

Re:Not at Google. Google has deprecated VPNs.

[LordWabbit2]

My wife works for a major bank, and understandably they are rather anal retentive about security, to the point where trying to get access to a database is a three day affair involving reams of paperwork and authorizations. In a way also understandable, but as a developer who needs to connect to multiple databases (staging, QA etc.) it is a real pain in the ass. Googles approach sounds like a nightmare in comparison. I will let her know tonight that it can be way worse, it might stop her whining about it as much.

Re:Not at Google. Google has deprecated VPNs.

Sort of. That's part of why people have a VPN. The other part is to associate a specific user to a specific endpoint, not an IP, and to provide an encrypted sheath for interactions with company resources to make DNS leakages and TLS MITM attacks more difficult.

Google's model has its place, but it's a bit shortsighted to make the leap in saying that it somehow invalidates the use VPNs.

Re:Not at Google. Google has deprecated VPNs.

[swillden]

> The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems.

If I may disagree? It's based on the notion that it's possible to reduce your vulnerability, profoundly, by reducing your exposed surface and enabling some tracking of who is accessing the internal network with what privileges.

You may disagree, but you're wrong :-)

Perimeter defense as a defense in depth strategy is fine. In theory. In practice, it breeds an assumption that the network is "safe" in some important sense. That's the "ambient authority" to which I referred. If you can avoid that assumption and properly secure everything within the network in addition to implementing strong perimeter defense, great. If you tell me you have done this, I will laugh at you. I was a corporate security consultant for 15 years, working for Fortune 100 companies, the world's biggest banks, even militaries... and no one does this right, even when they think they do.

The Google strategy actually does provide defense in depth for the servers. In fact, it provides *more*, because they're only reachable through the proxies. I guess in that way, Google actually does have a defensive perimeter: The data center, where both proxies and servers live, and the network is structured so that the only the proxies are reachable from outside. This, arguably actually is a secure network. It's physically isolated inside buildings with highly-restricted access.

But your office buildings, where employees of all sorts are in and out every day, which allows even non-employees in? No network in that environment can really be considered secure. Even less if you're a large company with tens of thousands of employees. No network accessible by that many people is secure.

And note that you don't actually need Google-scale data centers to do this. You can put proxies and servers in a room with an isolated network, and restrict physical access to the room.

> [Google's approach ] It's a better approach than VPNs. More secure, more convenient, more flexible.

It is _expensive_, in manpower to maintain the sophisticated systems in and in detailed management of the various resources.

No, it's not. It's actually simpler and easier to manage. Google's corporate NETOPS team has shrunk, even as the company has tripled in size, because of just how simple it is.

I didn't go into the authorization system much in my previous post, though, so I can see how you'd think that. It's actually very simple, and based on bog-standard LDAP: Every user has an identity. Every identity can be a member of some number of groups (which are also identities). Servers almost always have a single LDAP group as the authorized user. So, giving an employee access to a given service is as simple as adding them to the correct LDAP group.

Services accessible by all full-time employees? They're configured to allow access by full-time-employee. Services accessible by everyone but contractors? The employee group. Services accessible by anyone? Those actually can use an "ambient authority" model; if the request can get through the proxy it is authorized... but note that no one without an LDAP entry has access. Universal user authentication is enforced.

For most environments, it's added overhead that returns nothing concrete for ordinay use, and for which VPN is a much simpler and much lower cost system to implement.

Also wrong, particularly if you also end up implementing a single sign-on system in addition to the VPN.

Re:Not at Google. Google has deprecated VPNs.

[swillden]

My wife works for a major bank, and understandably they are rather anal retentive about security, to the point where trying to get access to a database is a three day affair involving reams of paperwork and authorizations. In a way also understandable, but as a developer who needs to connect to multiple databases (staging, QA etc.) it is a real pain in the ass. Googles approach sounds like a nightmare in comparison. I will let her know tonight that it can be way worse, it might stop her whining about it as much.

At Google it would have taken her 15 minutes to get access, all done electronically (unless regulations required ink on paper signatures). Her manager would have submitted a request to have her added to the group that has access, and forwarded that request to the appropriate authorizing people (actually, the forwarding is generally automated, but it can be done either way). Those people would have checked what they needed to check and approved. Once added to the group, the same login she uses to get to her email, etc., would get her into the database.

And it very well may have been even easier than that. Because all access to sensitive databases (e.g. anything containing user data) is logged and the logs audited by automated systems and humans, it's often not necessary to do extensive pre-authorization. It's possible that at Google her manager could simply have given her access without any other approvals. Or if all of her manager's employees need that access, then the system might have been configured to automatically grant access to all of his/her direct reports. It depends on the nature of the data, of course. Some data requires both auditing and pre-authorization, especially when required by regulation.

Re:Not at Google. Google has deprecated VPNs.

[Antique+Geekmeister]

> Perimeter defense as a defense in depth strategy is fine. In theory. In practice, it breeds an assumption that the network is "safe" in some important sense.

"Safer" is the operative word. A VPN is typically associated with a firewall that restricts access to certain systems or certain portions of a network through a gatekeeper. This often includes components that are relatively difficult to activate a full-blown "single sign-on" method on, or services that are far more difficult to secure individually. These may include personal laptops and IoT devices, which are notoriously difficult to secure individually or internally exposed services which may have zero-day exploits, such as the firewalls themselves. Even exposed laptops can, and will, suffer constant attack from outside if the firewall doesn't efficiently block them. Tools such as a VPN allow reducing the exposure of such components to the world at large profoundly, while still allowing offsite access when needed.

Part of the point of the firewall, and the VPN to authorize access through it, is that there is no reason to expose the entire internal network to every source of probes in the entire Internet. If the team you work with has successfully activated a good single-sign-on configuration, then the VPN can usually provide just that same convenience. And I'm sad to say, even Macs and Linux systems have had remote access exploits that need much more than an enforced signle-sign-on technology to protect from.

>> For most environments, it's added overhead that returns nothing concrete for ordinay use, and for which VPN is a much simpler and much lower cost system to implement.

> Also wrong, particularly if you also end up implementing a single sign-on system in addition to the VPN.

Single sign-on, done well, reduces the pain of a VPN as well as other tools. But please do not replace one layer of security (of firewalls and VPNs) with another layer (of single sign) and say that the other has no use. Also: have you, personally, ever tried to activate and enforce a single-sign-on technology across a whole company? I have, many times in my career. It's also not cheap or a trivial task.

Re:Not at Google. Google has deprecated VPNs.

[swillden]

Sort of. That's part of why people have a VPN. The other part is to associate a specific user to a specific endpoint, not an IP, and to provide an encrypted sheath for interactions with company resources to make DNS leakages and TLS MITM attacks more difficult.

(Per my sig, I don't normally read or respond to ACs. I happened to see this one, though, and it's good so I'll answer.)

The specific endpoint in Google's model is at least as strong as that provided by a VPN. It's a per-device client-side digital certificate. On devices with a TPM, the private key is in the TPM, which attests the specific identity of the device. VPN solutions may or may not provide that level of endpoint validation.

Regarding the encrypted sheath, TLS provides it. Regarding TLS MITM attacks, yes, you do have to make sure that the proxies are kept ahead of the latest TLS weaknesses, and to keep them configured to simply reject any clients that try to downgrade. That's not too difficult, though, since you only have a small number of them to manage. Also, I think TLS has finally stabilized.

Regarding DNS leakage, that's a legitimate advantage of VPNs, but not a strong one for corporate use. Google doesn't actually bother to address it in most cases, but where it matters the solution is simple: put all services under one hostname, so the only information that leaks is that you're talking to the company. The fact that every request goes through a proxy makes this pretty easy, since the proxy can take responsibility for looking at the URL path prefix and routing the request to the appropriate backend. DNS leakage is a bigger issue for personal use, but there are lots of reasons to use VPNs for personal traffic (assuming you trust the VPN provider, because what you're not giving to the four different coffee shops, etc., you're concentrating for the VPN provider).

Re:Not at Google. Google has deprecated VPNs.

[swillden]

All of your points are trumped by the simple fact that when people believe their network to be secure, they don't adequately secure the endpoints behind the firewall -- and that the network is never secure. And I don't mean that in a "perfectly hermetic" sense, I mean that in a practical "attackers can always get in" sense. With the exception of databases on laptops, this is the single largest root cause of leaked corporate data. The problem here is that you're talking about theory, and I'm talking about practice -- what actually happens. I've never seen a case of data theft or leakage where the post-mortem says "We needed better firewalls and a VPN". It's always "We needed better security on the database". 90% of the time, the root problem is that the database wasn't correctly configured, or wasn't patched.

The BeyondCorp approach wasn't developed in an ivory tower as a theoretical exercise, it was developed in response to a series of internal "Orange Team" attacks, where SECOPS guys team up with other engineers to try to penetrate the systems. What they found, time and time again, year after year, is that it's always possible to get into the network, that the protection provided by the firewalls is an illusion.

For example, in your "secure" network, do you physically disable all USB ports? Slipping a little USB dongle of some sort to an employee and getting them to plug it into their computer is a classic -- and trivial -- way of penetrating a network. One particularly humorous real-world example I saw was at a major bank, where the attacker managed to social engineer some information about employment anniversaries. He then took some off-the-shelf USB-powered plasma globes, put the bank's logo on them, stuck a microcontroller inside and shipped them to the employees on their anniversaries. Every single one of them plugged it in, and within minutes the attacker was roaming the network at will.

And of course your "secure" network uses 802.11X authentication on every network port, right? Another classic is to get into the building and plug a small device into an open network port.

The old standbys are the best, of course: malware delivered via email, in a PDF, etc.

Your firewall defeats script kiddies doing portscans, and it protects you from worms. That's it. It doesn't protect you from real attackers... and the defenses that will protect you from real attackers will also protect you from kiddies and worms.

And I'm sad to say, even Macs and Linux systems have had remote access exploits

Indeed they do, and that's why you really don't want to depend on a firewall. Your real defense against remote exploits is always on the machines themselves. Keep the running services to the minimal required set, keep the systems patched. Simple, but hard, tedious work. You're still vulnerable to 0days... but do you seriously think that an attacker in possession of good 0days is going to be stopped by a firewall? Not a chance. You're vulnerable to those now.

As I said previously, there's nothing wrong with firewalls and VPNs, if you also adequately secure everything behind the firewall. Firewalls provide a very minor, though real, defense in depth. My workstation is behind a stateful firewall, as required by corporate security policy for remote workstations. But the working assumption is that my workstation is sitting on the open Internet, and managed accordingly. For that matter, Google's corporate network is firewalled. But again, the assumption is that any attacker who wants to can get on the network.

Also: have you, personally, ever tried to activate and enforce a single-sign-on technology across a whole company? I have, many times in my career. It's also not cheap or a trivial task.

Yes, I've done several such projects, most with the added complication of smart cards. But while SSO has security benefits, its primary value is not security, so you're going to end up doing it anyway.

Security services respond?

[AHuxley]

With all the interesting workers and the private sector embracing VPN products and services?
XKeyscore https://en.wikipedia.org/wiki/... to find the user. A Turbulence like project to get into the users systems. https://en.wikipedia.org/wiki/...
NSA’s automated hacking engine offers hands-free pwning of the world (3/13/2014)
https://arstechnica.com/inform...
..VPN connections by inserting an implant on routers that break VPNs’ key exchange process, opening virtually any VPN to direct surveillance."

I dumped VPN

[acoustix]

I dumped VPN at my company in favor of virtual desktops (vmware view). It is much safer, I don't have to worry about "dirty" outside computers connecting to the network. Instead, employees get the same desktop every time, the same resources every time. It's generally safer. The employees love it because it's generally much faster.

It's one of the few win-win scenarios in I.T. for mobile workers.

OK...

[newbie_fantod]

So privacy isn't really dead?

How I

[kristofer.vesi]

I have a pro of "unnamed" (don't want to ad it) for life, since I got some deal off somewhere, I can't really use it daily, since my home internet connection isn't on good level (sad), but I use it pretty much always on my laptop, when on mobile wifi or some free wifi spot. It sometimes even skips view this ad for 30s then u can use wifi. Also tunneling to different location to access something is good, since for example most channels like Nat Geo have websites, you can view exclusives or for outsiders what it is unacessible, I get a region block. Since I can't in any way sign up for that website,, I must tunnel.

Using VPN

and not using tor and MAKING FREEDOM HAPPEN. What a world we live in.