Managing Commercial VPN use

Commercial Virtual Private Networks (VPN’s) are marketed as the must have ‘security’ product for users, with language like ‘Nobody can see through the tunnel and get their hands on your internet data’ and ‘peace of mind each time you use public Wifi, access personal and work accounts on the road, or want to keep your browsing history to yourself’, ‘Protect your sensitive data and money’, ‘Shop online securely’, ‘Shop online securely’ and ‘prevent snooping’.
Nearly every Antivirus vendor now includes a VPN as standard or has option add on VPN modules / services.
Browser vendors are following suite including VPN’s as optional revenue generation, or via browser extensions.
All told, there are now hundreds of commercial VPN vendors and incrementally hundreds more ‘VPN Apps’ in the App Store¹ and Google Play™ store².

The VPN market is now mature enough that there are some VPN organisations providing ‘white label’ VPN infrastructure and open source client applications , basically anyone can now set up a web site with a few clicks, customise the open source applications from GitHub and get into the ‘VPN business’ in days from nowhere. These often include many obfuscation techniques to bypass firewalls and content controls by default.
Similarly, a user can publish a VPN app on an ‘App Store’ and offer ‘in-app’ purchases for subscriptions, indeed may apps published this way do not even have a website or web presence and are almost anonymous to end users, they rely on Apple³ / Google for the infrastructure and financial infrastructure and social media pages for user group and various similar forums and support.

There is also a total lack of enforceable age restrictions on these applications, children of all ages can and do install and use VPN’s often taking the free option which may provide free VPN bandwidth in exchange for viewing advertising content.
Some CDN providers are getting into the VPN game directly or indirectly by leasing IP address / edge server or network capacity to commercial VPN providers astray seek to maximise profitability of the Internet resources they control.

The commercial VPN market is experiencing a massive growth rate, with the largest providers now reporting millions of customers and operating many thousands of servers around the globe. There are over a hundred significant commercial VPN vendors and app store VPN app providers most providing cross platform support.

The real reasons most people use commercial VPN’s:
Leaving aside the legitimate business uses for VPN’s, the reality is commercial VPNs actually offer little or no incremental security for users and genuine privacy enhancements are few and far between. Most sensitive application traffic is properly encrypted by applications and network protocols already for example online banking, a commercial VPN adds nothing to this.

Scratch the surface and the messaging quickly moves away from security to how to unblock one or other geographically content controlled service.
Indeed commercial VPN users objectives in using a VPN are seldom security, rather one of more of the following:

• To circumvent locally enforced content controls:- Business firewalls, school firewalls, broadband and mobile service provider parental restrictions etc.
• To make the user appear in a different country to circumvent geo based content controls, TV and Video content being the prime motivators.
• Obfuscation of illegal activity, ranging from the most serious criminal activities through to torrenting / illegal downloading of copyrighted content and the avoidance of taxes. Most commercial VPN’s advertise a no logging policy and many claim DCMA free hosting.

What about Privacy?

Commercial Virtual Private Networks (VPN’s) make a big privacy play, sometimes questionably, some more genuinely.
No one should argue that anyone’s real privacy be negatively impacted, rights and freedoms breached, security of applications or transactions be compromised, or freedom of speech and other rights impacted by controlling commercial VPN and content availability within organisations or schools and colleges. Privacy legislation actively supports this position, it is a fundamental right, but it is NOT an absolute right. 

Clearly there are cases where freedom of speech, access to learning & information as enshrined in accepted conventions and treaties must take priority, but nowhere does this conflict with the legal obligations to safeguard children, protect digital or other rights including copyrights, or prevent organisations from protecting their productivity and intellectual property. 

There are many reasons organisations should not or must not allow use of commercial VPN’s in their infrastructure.

Commercial VPN use by children or staff on personal devices in schools or other supervised environments is clearly incompatible with legal safeguarding requirements.
Personal use of commercial VPN’s in a business environment adds risk on a number of fronts detection and enforcement or rules not allowing this is part of ‘adequate technical controls’ which are requirements of many standards and a legal requirement in many cases.
Content rights holders must be able to protect their rights to access content as they desire and organisations need to protected themselves against illegal use of their networks.

The VPN ‘masks’ organisational prohibited activity by circumventing DNS, proxy and firewall content controls.
In many cases these controls a statutory requirement, for example, the safeguarding of children.
Even the most advanced modern application aware firewalls cannot effectively block most commercial VPN traffic, The VPN vendors go to extraordinary lengths to obfuscate that traffic for example making encrypted HTTPS connections appear to the firewall like Wikipedia, social media or google network traffic.
This frustrates an organisations afforts to enforce controls and objectives and facilitates user access to services organisations may not wish to permit, social media for example, as well as broadening the attack surface by allowing a clear tunnel through which data can easily be exfiltrated using file sharing services and opening a path for undetected infiltration of malware, ransomware or exfiltration of intellectual property or personal data etc.

Commercial VPN providers go to extreme lengths to enable their customers to access their services and avoiding detection and blocking, it’s critical to their business.

Many VPN providers use multiple protocols, ports and obfuscation techniques to avoid detection and blocking. The days of blocking a few ports, protocols and application definitions to control VPN Access are long gone. Even top of the range ‘application aware’ firewalls have lost this game with a vast majority of VPN traffic being classified as ‘SSL’ or ‘Unknown SSL’ and limited coverage for some commercial VPN traffic, largely ineffective at blocking this traffic. SSL/TLS decryption on firewalls or other specialist services has also not solved the problem for a variety of complex reasons.

They also go to great lengths to make sure that their customers can access the content, media etc. they desire by using their service. Many VPN companies each ‘owning’ many thousands of IP addresses and others moving servers around the hosted / Virtual server IP space very dynamically.

Their VPN servers and applications may be unpatched and vulnerable, add extra hops and latency and extra ability for traffic to be snooped on as it traverses the Internet.

Organisations should prevent commercial VPN or other VPN application installation on devices they own by Group Policy or other MDM controls.

Our products:

• We provide dynamic lists of IP address and domain data for deployment on firewalls, DNS servers and other infrastructure to block access to commercial VPN’s.
• We provide dynamic lists of IP address data to identify the source IP addresses of commercial VPN providers.
• We provide dynamic lists of data to detect and block other applications and services, block TOR, and proxy services.
• We process firewall and other logs to detect commercial VPN, Tor, Proxy and other anomolous use.
• We provide information to assist organisations adopt and implement clear policies with respect to blocking undesireable applications and technologies and assist their infrastructure in being more effective with the application of policy rules and data services.

1. Apple, ‘App Store’ are trademarks of Apple Inc., registered in the U.S. and other countries and regions ↩︎
2. Google and Google Play Store trademarks of Google LLC., registered in the U.S. and other countries and regions ↩︎
3. Apple is a trademark of Apple Inc., registered in the U.S. and other countries and regions. ↩︎