When I bought my laptop last year, I wanted to ensure I was secure and looked at getting a VPN or a firewall to provide protection. I wasn’t too sure at the time which one I needed or whether I needed both of them to be secure.
What do VPNs do that firewalls cannot do? The main difference between VPNs and firewalls is VPNs provide privacy protection by ensuring connections cannot be snooped upon or tracked, and firewalls provide access control protection, limiting access only to allowed connections and blocking all other connections.
Both firewalls and VPNs have their merits based on the functionality they provide and in the rest of this article, I’m going to look at the differences between them and how they should be used to complement each other.
VPNs protect data from snooping and eavesdropping
VPNs allow data to travel securely across an encrypted link from the VPN client software on the user’s device to the VPN server (check out my latest list of VPNs). Anyone eavesdropping on this communication between the VPN client software and the VPN server will not be able to see what information is being sent, as they will only see encrypted data.
Firewalls don’t do this as they are only involved in controlling access, so any data that needs to travel securely out of the firewall must first be encrypted by some other means, as is the case when secure communications are made using HTTPS connections where data travels using TLS over a secure channel created between the website and the web server it’s connecting to.
Many VPNs use strong encryption standards to ensure the encrypted data cannot be decrypted by unauthorized parties.
VPN provide anonymous protection
VPNs have options to protect the identity of the people using the VPN through various anonymizing services such as masking the real IP addresses with its own batch of IP addresses.
Firewalls can’t do this as readily as VPNs the source IP address, that is the IP address of where the connection is being made from is easily determined at the destination.
So, a user connecting from a university computer at Aston University in Birmingham, to a website hosted in California in the US will give away the IP address details of their university to the website in California, from where a simple reverse lookup can easily see a connection was made from the University of Aston in Birmingham.
Making the same connection from the same computer but this time using a VPN, the only IP address the website in California will be able to determine is the address of the VPN server the user connected to. So, if they used a VPN server in London as their VPN connection point, then the website in California will only see the IP address assigned to this VPN server.
A VPN might not necessarily provide bullet proof protection in protecting against the destination website from finding out the real IP address of it’s users, as some VPNs can have issues with IP address leakage through DNS and WebRTC leaks. But on the whole the protection offered is a lot more than can be offered by a firewall.
A firewall may be able to hide the individual IP address of the computer making the connection from the university as there will undoubtedly be some form of Network Address Translation (NAT).
NAT can translate the university computer’s private IP address into one that can be used publicly but this will only be relevant in tracing if a log of this is kept. A log which incidentally is only visible to the university and not available publicly.
VPNs can bypass firewalls blocking
VPNs can be used to bypass Firewall restrictions, as the Firewall will generally only work on blocking internet addresses (IP addresses) of websites and internet services.
However, if the VPN IP address is not blocked, any connections to blocked websites can be made over the VPN as the firewall has no way of knowing where connections are being made to, using the VPN software.
VPN software is immensely popular in schools where blocked websites can be ‘unblocked’ using the VPN and in countries where websites blocked by regimes can be bypassed using a VPN.
Intelligent Firewalls are smart firewalls
With intelligent firewalls (Next Generation firewalls NextGen for short) being able to determine whether the destination being connected to is safe for connection. If the destination connection is deemed unsafe, all connections trying to connect to the destination connection are blocked.
NextGen firewalls are able to do this by using threat intelligence, whereby lists of potentially malicious websites is available for inspection every time a website connection is made. This is all done in real-time is a matter of milliseconds without any impact on the connections being made.
Firewalls can block VPN traffic
As VPNs tend to use the same connection options when connecting from the user’s computers to a corresponding VPN server, some firewalls are easily capable of working out that the connection is using a VPN and can block the connection altogether.
This is because the IP address of the VPN servers may be known by the firewall, so it can easily compare being connection made to a list of VPN IP addresses and ban the connection accordingly. Or the firewall is aware of the ports used by the VPN to make its connections, as some VPNs use VPN technology like OpenVPN which uses a standard set of ports.
Many VPNs include options to configure the ports being used for connections as well as the protocol being used (TCP vs UDP) and this can help in bypassing blocks made by firewalls.
Some firewalls especially the Great Firewall of China used sophisticated technologies to determine if VPN connections were being made and either blocked these or slowed them down by severely throttling the bandwidth of the connections being made.
As the traffic is encrypted using strong encryption standards, its difficult to decrypt the traffic without knowing the encryption keys, so the only recourse available for the Chinese authorities was to try and block as many of the VPN connections being made as possible.
VPN and firewalls work in combination
Ideally a VPN and firewall should be used in combination to provide protection against threats, with the VPN ensuring any data travelling isn’t snooped upon by the Internet Service provider. With the firewall ensuring the computer where the data originates from and is stored on is protected against attacks.
So, as an example if Bob has sensitive data stored on his personal computer and wants to send this to Alice without his Internet Service Provider knowing he’s connecting to cloud storage account that only he and Alice has access to. Bob can switch on his VPN connection and connect to the cloud storage account, without leaving any traces in the logs of his Internet Service Provider.
His data is protected from eavesdropping not just because he has a secure encrypted channel to send this data through, but he is also using a secure connection to connect to the cloud data storage account. Thereby being assured his data is encrypted end to end from this computer all the way to the cloud storage account.
If he wasn’t using a secure encrypted connection from his computer to the cloud storage account, as soon as the data passed out of this VPN connection, that is when it left the VPN server to go to the cloud storage account, the data would be open to eavesdropping as it’s not encrypted.
End to end encryption
Here’s the rub with VPNs, many people assume they provide end to end encryption, but they don’t they only provide encryption from their VPN client to the VPN server, so it’s vitally important to make connections using secure standards like using TLS, SFTP, SSH to name a few. As these secure standards are the ones providing the end to end encryption.
The only exception here would be if the VPN server is in a network where it provides the front door access. So, for example, employees working from home who need to connect to their employers systems will most likely make a connection using VPN software to their employer’s VPN servers.
Once successfully connected, any connections made irrespective of whether they use secure standards like TLS (HTTPS) don’t really matter, as the employer is only interested in ensuring the connection made from the employees computer to the company VPN server is securely encrypted.
Any data travelling beyond the VPN server into the internal workings of the employers’ organization is protected by the firewalls (and other security controls) on the employer’s network.
Bob can take measures to ensure his data travels securely by using end to end encryption from his computer to the cloud storage account and also data travels anonymously, by using his VPN connection. In essence the data is encrypted twice, as it travels through the VPN, as the data is already encrypted end to end and the VPN then provides an encrypted channel for this data to travel over.
This protection is worthless if the original data on Bob’s computer can be accessed, as in all likelihood this data will probably be in a non-encrypted format. Hackers could try to hack into Bob’s computer and steal this data, more so, if Bob doesn’t have any protection such as a firewall to block unauthorized access attempts.
I have a VPN and firewall on my devices and when I regularly review the access logs on the firewall looking at attempts to try and break into my device, I’m shocked at the number of attempts happening on a daily basis.
Now, imagine if it’s a company, then the number of attacks are going to be phenomenal not just from one man band hackers but from state sponsored attackers, all looking for weaknesses. They will most likely use some form of automated scanning to work out what’s been left open to attack because of misconfiguration.
Firewalls and VPNs provide different levels of protection, with firewalls providing access control and VPNs providing methods of protecting privacy but used together they provide formidable protection in ensuring data can be stored safely but can also be sent safely.
As long as end to end encryption standards are used or the connection is made to a secure network where the VPN is the entry point, such as employees connecting remotely to their employers’ systems.