Network Security for Attorneys: VPN Tunnels

I ran across Ernie the Attorney’s post about mobility and security a while back, and some of the comments talked about using a VPN for network security outside the office. But they assumed you know what a VPN is and what it’s for.

VPN stands for Virtual Private Network and refers to a family of technologies that work together to connect two or more remote computers to one another as if they were attached to the same physical network. Usually the connection is encrypted and provides other security features to verify the identities of the computers involved.

But what’s that mean for you? As used by most mobile attorneys, a VPN will let an internet-connected mobile user connect to his office network and use its resources as if here were physically connected to it. For example, if you set up a VPN connection to your office network from a public airport wifi network, you can use the networked printer in your office or connect to the fileserver stashed in your wiring closet as if you were there.

Properly set up, a VPN can also help you protect sensitive data and conceal your online activity when you use unencrypted public wireless networks. In addition to using network resources like your office printer, you can also use your office’s internet connection, making it appear to the outside world that all the surfing and emailing you do outside the office originates from the office.

Let’s take an example.┬áSay you’re sitting in a coffee shop enjoying a day away from the office. But you need to get some work done, so you open your laptop and join the shop’s wireless network. Normally, your online activities would be visible to anyone else using the wireless network who cares to snoop: which youtube videos you watch, what you say to clients and colleagues on AOL Instant Messenger, and whatever lands in your email client’s inbox.

Instead, you fire up your VPN connection to your office network. Your computer creates a secure, encrypted tunnel between your computer and the VPN server in your office. The server then handles all your laptop’s network traffic and directs it as if you were on the office network. So, when you click a link, your laptop contacts the VPN server, which puts the request for the linked webpage on the office network, it gets handled in the usual way, and the webpage shows up on your screen.

With the VPN in place, the only traffic visible to other people on the coffee shop’s wireless network is the stream of data between you and the VPN server. But that stream is encrypted, so all eavesdroppers see is gobbledegook. Your data is exactly as secure as if you were using the remote network directly.

A properly configured VPN setup is nearly invisible to the user and provides you with good security. But there is a downside. You (or your IT staff, if you have one) have to set it up and maintain it when it breaks or needs upgrading. You will also need the right hardware on your local network to make the magic happen.

For travelers who don’t want to set up and maintain their own equipment, there are subscription-based services that provide a VPN service for a monthly or annual fee. I haven’t used any of them, so I don’t know whether any service is good or not. But keep in mind that all your network activity that goes through the paid VPN will be visible to the service provider, so only use the service if you trust the provider to protect it.

And that brings me to my final point. A VPN does a lot of things, but it doesn’t make your traffic any more secure on the remote network or once it leaves that network and heads out onto the internet at large. So if your office network is insecure or compromised, once your data gets there, it’s vulnerable because the encryption comes off at the door. Further, once your traffic leaves the office network, it’s on the public internet and no longer secure unless you take other measures (e.g., encrypted email, SSL connections to websites, etc.).

But that’s a topic for another post.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>