Recently, we were requested to review an internal client document regarding their VPN use policy. Per their internal company policy, they recommended all their employees use a VPN product when working from home since they're an entirely distributed workforce. Nord VPN was their recommended product.
I was confused by this recommendation, so I asked for clarification as to why. It turns out, it was a previous technical consultant who swore by the use of VPN to obfuscate his own IP. This advice was passed onto the company, and lo-and-behold, it became an internal company policy.
As companies are shifting to what looks to be a long-term working from home regime, I would like to help clarify what VPN is, what Nord VPN (or similar VPN product) does, and why it is, or isn't appropriate for your use case.
*Note that we didn't intend to single out Nord VPN. It just happens to be a very popular choice and a very well known choice for IP Anonymizer. But these products are very similar in nature.
What the heck is VPN?
First of all, I think everyone is familiar with the word "VPN", but what is it really? If you're not in the technology field, chances are you've heard your IT people throw this word around. VPN stands for Virtual Private Network. OK, that's nice...
If you've ever had an office job, think back to your office. It had its walls, desks, and computers. These computers were connected to your internal network - or Intranet, and probably also the external network - or Internet. Your office intranet, is secured, and private. Your IT people work to harden the security around this intranet to keep it private by using technology like Network Firewalls, Secure Gateways etc. This is very similar to you keeping your home private. You may have fences, gates, walls, and doors.
Let's think back to your office. Let's say your company had two office locations. Each office would've had their own internal (private) network. But how do you let the two offices connect together? Back in the day, these offices would've been connected via a dedicated private network link. Think of the childhood game of telephone. Where you had two cans, connected via a string. The two cans are the offices, and the string is the private link. There are no other cans connected to this private link. This is the PN (private network) of the VPN. So what is V?
With the advent of the internet, it was no longer necessary to connect your own dedicated line. You are already connected to the internet, and so is the other office. The problem is, the internet is public. So how do we get these two offices communicating in this internet space, privately? The answer: "virtual" private networks. Virtual Private Network is essentially a secure tunnel that only you have the keys to, that traverses this internet space.
Think back again to the telephone game. Instead of you and your friend talking through cans and a line, you're now talking to each other using megaphones. Everyone around can hear your conversation. This is akin to traffic on the internet. It's not private - everyone can hear it. Now, you and your friend probably don't much care for people listening in on your private conversations, so you make up your own private language that only you two can understand. This is basically, encryption. You can now still talk over megaphones to each other, everyone can still hear your conversation, but only you two can understand it. This coded language, or encrypted communication, made a public conversation, private. This communication channel, is your Virtual Private Network. It's "virtual", because it's not "actually" a private communication channel.
Flavours of VPN
There are many flavours of the VPN. The example above, where we connected two office is what is called a Site to Site VPN.
When someone works from home, and needs to access the office network, you generally use something called a Point to Site VPN. The "point" is your single computer and the "site" is your office.
What about Nord VPN?
Nord VPN, is technically a VPN. But calling it that, is confusing. Nord VPN and other VPN products like it, are technically IP anonymizers. It doesn't connect you to your office, or help you secure your corporate data.
When you establish a virtual private connection with an IP anonymizer like Nord, you are creating a private connection to Nord. You are not creating a private connection to the internet.
Huh? Confused still? Let's use the megaphone analogy again. You're still on your megaphone, but you have now established a private language between yourself and your good neighbour Nord. You speak in your coded language, and no one understands you. Now Nord turns around and translates everything verbatim back to comprehensible English, and tells it to everyone. To anyone who heard the message, it came from Nord, and not you. So your communication is no longer private, the only benefit is that no one knew it came from you. How secure your communication is in this case is highly dependent on your original message.
For example:
if you had told Nord, "I like turkey", Nord will repeat "I like turkey" to the world. As far as the world is concerned, Nord really likes turkey, and has nothing to do with you.
if you had told Nord, "Sijia Wang likes turkey", Nord will repeat "Sijia Wang likes turkey" to the world. Now everyone knows Sijia really likes turkey.
How does Nord VPN help me communicate privately when working from home?
The simple answer? It doesn't. It doesn't at all. Which is why I was extremely confused when the internal company policy told their employees to use Nord VPN. These IP anonymizers do not provide you with a private and secure connection to your office network, or to your corporate data.
To secure your internal office communication, you need to rely on a corporate VPN, set up and configured by your internal IT people. These corporate VPNs give you a secure tunnel from your point of connection into the office directly, so your coded message is only between you and your office.
Doesn't Nord VPN increase my security as an extra layer of defense?
In theory, maybe. If, for example, you didn't want your office (or your boss) to know it was you who is doing the work. Most self-respecting IT folks are going to look at your office communication traffic and wonder why there is a connection from Germany as opposed to your home in Vancouver. Likely, your IT people will have a policy in place that blocks these types of connections as they are suspicious and out of character.
In my opinion, this is not the purpose, nor an appropriate use case for IP Anonymizers.
When should I use Nord VPN or an IP Anonymizer?
That really depends, because at the end of the day, Nord knows you. Your ISP knows you. Nord VPN may be really helpful if you're trying to watch Netflix programming from another country (which is against their Terms of Service) or bypassing the Great Chinese Firewall, but really, it has no purpose in your Work From Home considerations.
When is it a good idea to use an IP Anonymizer?
Well, according to Nord itself:
People don’t like to be tracked and watched – that’s the main reason why they use a VPN.
When you’re browsing through a VPN, your traffic is encrypted. No one can see what you do online, nor interfere in any way.
A VPN also allows you to bypass internet censorship. When you connect to remote servers, you can easily access the global internet.
So what does that mean to you? If you are working in a public location, using public WiFi, the simple answer is that it's a good idea to use an IP Anonymizer.
However, if you already connect to your office through their corporate VPN, then you don't need anything else. If that's not you, then it becomes an "it depends"; some of your internet traffic is already encrypted by default and some is not. So when using public WiFi, better safe than sorry and use an IP Anonymizer to ensure all your traffic is encrypted... but it really only protects you from the folks sitting at the same public WiFi, be it Starbucks or the airport. Once your communication traffic hits the internet, you are no longer protected.
For example: if you connect to an airport WiFi, and a hacker is sitting next to you connected to the same public WiFi, without an Anonymizer, the hacker can sniff all your traffic: what you're browsing, what you're sending, all of it. If you connect via an Anonymizer, your traffic is now protected. The hacker is now effectively on a separate network than you and he can no longer see what you're doing. However, if you send your credit card information via plain text email, that email is still vulnerable from all the other hackers on the internet.
You can also easily prevent situations like this by using the secured hotspot feature on your phone. In this case, you're on your own network anyway, and no one is on there sniffing your traffic.
But my office didn't give me a VPN
This may be a security oversight, but it is more than likely completely by design. These days, a lot of company data is in the Cloud. Whether it's Google (GSuite) or Microsoft (O365), your data is secured behind your GSuite or O365 login. This login authenticates you, and allows you access into the data. Which is why your IT department may be harping on you to protect your password, and should be implementing Two-Factor Authentication to ensure your login is protected.
Final word
IP Anonymizers do not help protect your corporate data or office communications. It serves to obfuscate the origin of the communication only and is not usually appropriate in the average WFH use cases. When in doubt, check with your company IT folks.
Did you find this article helpful? Like and share this article. Do you have further questions regarding VPN or other technology to help security to your corporate data in the long term? Let's chat!