There are many ways to practice security online. Some of those ways are by using secure tunnels of communication like proxies, reverse proxies, and VPNs. Not only is it a good idea to use these methods when utilizing public internet but also in your home or trusted networks.
No, not necessarily. It really depends on what you are doing and the reasoning behind using it. VPNs offer encrypted internet traffic for you as the user, making your communications secure. This is a highly utilized technology, especially in government agencies, military branches, and organizations.
Proxies work differently and don’t provide all of the features that VPNs provide. They act as a filter or firewall between the end-user and the web page or application. There are forward and reverse proxies.
To learn what a VPN is and how to choose one go here
The vast number of online threats motivate individuals to seek additional security measures to protect their data online. There are several things a user can do to protect their network traffic. Two very popular techniques are to use a VPN and/or a proxy server.
As we will see later in this article these technologies work in very different ways. I will compare, contrast, and highlight the pros/cons of each. In addition, I will give you reasons to use them. Remember, there is no foolproof way to protect yourself, but these methods are certainly effective…
What’s a proxy server?
A proxy server works by essentially acting as a medium third-party device that receives the clients web requests, masks source IP address, and caches websites and other information making revisiting those sites quicker. In addition, they can also provide anonymity by hiding your machine’s public IP address.
There are two types of proxy servers…
- Forward Proxy
This proxy works by receiving a client request for a web page for example, once that request is received it forwards it to the web server and then communicates back to you (the user). A forward proxy is more focused on traffic going out from the end user to the web server; whereas a reverse proxy pays more attention to traffic coming into your network.
A forward proxy can:
- Block employees or groups from visiting certain websites
- Monitor network activity
- Block malicious traffic from reaching internal resources
- Increase web page loading speed by caching sites
A proxy doesn’t damage anything so the risk to use them is pretty low. There are free and paid proxies; of course the quality might differ between these, just use better judgment and research them.
- Reverse Proxy
A reverse proxy uses load balancing and web acceleration in between the client and the server. It relies on a TCP three-way handshake to establish a connection. A reverse proxy service sits on your network’s edge just like a forward proxy; however the functions differ.
Reverse proxies can mitigate malicious traffic, DDoS, and work really well with web application firewalls (WAFs). Another cool feature of reverse proxies is load balancing; this provides a way to distribute traffic loads providing high availability and fast speeds.
- Help stop DDoS attacks
- Mitigate malicious traffic from entering the internal network
- Act as a packet filtering firewall of sorts
- Cache web content for faster retrieval later
Both types of proxies are essentially an additional layer of security and highly recommended for organizations. Having another security measure in place for internal/web protections will only help protect data. However, you shouldn’t rely on proxies by themselves for overall protection.
A VPN on the other hand works a little different…
How does a virtual private network (VPN) work?
A VPN works by routing your public IP address to multiple IP endpoints before finally reaching the intended destination, usually a web address. The purpose of a VPN is to keep your network traffic encrypted during transmission and receipt by bouncing off several endpoints and changing the IP address.
A good analogy to use is this, I send a letter to my friend with our addresses on it, but instead of going directly to my friend’s house, it stops at someone else’s house and my address is removed and replaced by the next house’s address. This happens several more times until it reaches my friend’s house. He knows it’s me when he opens the letter but he doesn’t know my address where the communication started originally.
Organizations, government agencies, military branches, and individuals use VPN’s for security and privacy. They are very effective, especially when using free public Wi-Fi in hotels or coffee shops. I wrote an article about Wi-Fi security in which I discussed VPN’s in public places.
There are several reasons to use a VPN, especially in an unfamiliar place. You wouldn’t want to leak your banking login credentials, public IP address, or any other identifying or sensitive data. Public Wi-Fi locations are watering holes for black hat hackers.
VPN’s work by using VPN protocols, there are several but they work differently.
The Point-to-point tunneling protocol is the oldest VPN protocol and it is also the weakest in encryption strength. This is not the recommended protocol to use as it is very insecure. A lot of VPNs don’t support PPTP anymore because it is so dated.
Layer 2 tunneling protocol/Internet Protocol Security is one of the most secure protocols to use hands-down. The data link layer of the OSI model or Layer 2 is where this protocol is deployed. There are two parts to this protocol, L2TP and IPSec. We will go over each one…
Alone, it doesn’t provide any authentication or encryption measures. This is the point of a VPN so this is used along with IPSec for the encryption part of it. The acronym just states that it is a tunneling protocol that sits on layer 2. The tunneling being the encrypted tunnel of traffic between start and end points.
L2TP however doesn’t provide encryption so it must be paired with an authentication measure such as IPSec, which is the most common.
This is the security feature that is most commonly paired with L2TP. It provides three main areas for security, an authentication header (AH), encapsulating security payload (ESP), and internet key exchange (IKE).
The authentication header acts as an integrity verifier. If a network packet was modified in transit then it has lost its integrity. If it loses integrity then it could’ve been intercepted, replayed, or modified with malicious code.
The AH uses hashing algorithms to verify integrity (more on hashes and encryption in a later article!). AH’s also provide authentication and anti-replay features! It is important to note that authentication is NOT the same as encryption…
Authentication verifies that you are who you say you are, in this case, it is a sender and receiver that need authentication. The authentication verifies the data is being sent from a known entity. Encryption is the “locking” of data so it isn’t a plain text message. The decryption of said data is performed using the key exchange.
The encapsulating security payload provides the encryption for the IP header and payload for every packet. It doesn’t always have to be configured to be used with the AH, it can be used by itself. There are two modes for ESP, tunnel and transport.
Transport mode doesn’t provide encryption OR authentication to the IP header. This can lead to IP address capturing during transport which can be a security risk. Tunnel mode, however, encrypts the whole packet making this the most secure mode generally.
Internet key exchange (IKE) is essential for encrypting and decrypting the network traffic. The types of key exchange used in IKE are pre-shared keys, RSA signatures, and RSA nonces.
- Pre-shared keys (PSK)
This is a hashed password that is pre-shared between devices. The hash is a value that is received upon encrypting the plain-text password. This is very secure but not fool proof. (more on password/hashing attacks later)
- RSA signatures
These involve RSA certificates from a CA or certificate authority. The RSA signatures provide non-repudiation. This means that your signed certificate prevents you from denying that you in fact signed it. It is a way of proving that you are who you say you are.
- RSA Nonces
A Nonce or “number only used once,” is a secured number that is generated by both parties. It is then encrypted with each of their public keys and then decrypted with their private keys. This method can be compared to PKI or public-key cryptography in which key pairs are generated.
The secure socket tunneling protocol is owned by Microsoft used for VPN tunneling. This protocol offers 256-AES encryption making it very secure. This protocol provides encrypted traffic by default unlike PPTP.
A lot of people don’t like it however because it is Microsoft proprietary, meaning that your traffic may be monitored or logged by the company. I don’t relish the idea of that personally…
Internet key exchange version 2 works by using keys for authentication between the client and VPN server. A symmetric key is generated for both parties and the protocol uses UDP port 500. X.509 certificates are also used for authentication.
This protocol encrypts and authenticates by default, can use UDP or TCP for transmissions, and uses 256-bit AES encryption. This protocol also allows for plugin and script support. It is also able to avoid firewalls and provide obfuscation from ISP’s.
OpenVPN is compatible with multiple OS’s including Linux and Android. There are people that think VPN’s are for anonymity, this isn’t completely accurate. Yes, VPN’s provide security and privacy but your starting point IP address still has to connect to the VPN service so now that service has your starting IP.
If the VPN is HQ’d in the U.S.A. or other country with loose privacy/data log policies then there is a chance that the VPN provider can be subpoenaed to relinquish traffic logs. Not very anonymous is it?
There are options for you that do provide anonymous internet activity such as the TAILS operating system, TOR browser, WHONIX operating system, and SubGraph operating system just to name a few. Anonymity online is another subject I will be writing about in the future, that will be a long article!
Which one is best for me? Proxies work differently and don’t provide all of the features that VPNs provide. They act as a filter or firewall between the end-user and the web page or application. There are forward and reverse proxies.
Which technology is better for privacy and security?
Well the choice that provides both and does it very well are VPN’s. VPN’s allow for very good security due to the secure tunnels between client and server. They encrypt data in transit and make it extremely difficult to detect the client’s IP address because of the constant endpoint hopping.
Because the connections are encrypted, you are safe from various online attacks like DDoS, DOS, credential stealing, man-in-the-middle (MITM) attacks, and others. Another feature is being able to hide your internet traffic and what you are doing online from peering eyes.
You can also get around GEO blocking and country restrictions to websites. Using a VPN allows you to visit websites and domains that would’ve otherwise been blocked due to country internet policies.
This diagram shows the user initiating a connection with the VPN server; it then travels to several endpoints each time changing the IP address, before finally ending up at the web server the user is trying to connect with. In this case it’s amazon.com. Then the amazon server sends data back to the user.
A major concern for users is malware protection….
Am I completely protected from malware if I use a VPN/Proxy?
No you are not. Malware can and will still install on your system if you click on a phishing link or ad. Remember, humans are the weakest link in cyber security. Cyber best practice must still be used and exercised regularly. Malware is still getting onto systems because users keep making the same mistakes.
It is important to note that anti-virus/anti-malware, intrusion protection systems (IPS), can prevent malware from reaching the end-user NOT VPN’s or proxies. A user shouldn’t just use a VPN and/or proxy for protection but rather anti-virus and best practice as well.
To summarize, VPN’s and proxies offer a level of security for internet users. The two types of proxies are used for different reasons although they are similar. They are found in corporate environments and people who wish to hide their actions online to name a few.
Proxies are NOT as good at keeping you anonymous though as your public IP address can be eventually found. If you wanted semi-anonymous browsing, privacy, and security you would opt for a VPN. There are paid and free ones, with the paid ones providing the best tech support and quality.
Beware of free VPN’s because there are many that have built-in malware. Within the VPN software there are several types of protocols to use. You must decide what protocol you are the most comfortable with setting up, managing, and connecting to.
Some other things to pay attention to when choosing a VPN are the protocols supported, number of available servers and in what countries, traffic logging policy, and usability. These are important in their own way. For someone who isn’t tech savvy you would probably want to pick a VPN that uses the OpenVPN protocol because it has a great track record for security and easy setting up on Windows; which is what most users will be using.
Choosing a VPN with a large selection of servers which allows for many options if some were to go down for maintenance or you have other connectivity issues. In addition, choosing a server in a certain location may affect your browsing speed.
For people who are trying to get around Geo Locks or country internet policies, VPN’s are great for working around those measures. The logging policy should be taken with a grain of salt. Yes, a VPN may state that they have a strict no-logs policy but this doesn’t necessarily mean that you absolutely are safe from authorities confiscating your traffic logs.
This would depend on the level of cooperation that the VPN provider is willing to provide to authorities in investigation situations. If the logs are stored on a server in a country that values privacy like Sweden then you are generally pretty safe from log audits. One thing to research are which VPN’s have been audited by third-parties for strict no-logging policies.
This can tell you a lot about how serious that VPN provider is about their logging policy. The usability of a VPN can affect your choice in a VPN provider. I would recommend watching tutorials on different types of VPN’s, mobile application support, and pricing.
Utilizing multiple security measures in your everyday browsing like VPN’s, Proxies, safe internet practices, two-factor authentication (2FA), strong passwords, and overall awareness will keep you safe online. Keeping your systems, applications, anti-virus, and browsers updated are other areas to stay vigilant on.
I hoped you enjoyed this article on Proxies and VPN’s, stay safe, and stay secure!
To learn what a VPN is and how it works go here