Is it risky to use a 3rd-party VPN service such as NordVPN for a business?

jd1114
jd1114 used Ask the Experts™
on
Is it risky to use a 3rd-party VPN service such as NordVPN for a business?  The goal is to make it harder for attackers to break in to the office through the Internet.  The goal is not to allow people to connect to the office remotely.  The line of thought is that forcing all office Internet traffic through a VPN would make it harder for an attacker to target the office because the VPN would make the office Internet connection anonymous.

Would using a VPN in this way negate the protections provided by a NAT router?  What about if the router itself is configured to make the VPN connection for the whole office instead of having each individual client computer connect?  Which is the best way to do it?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Software Engineer
Commented:
Using a VPN won't improve your security and I/M/O will degrade it.

a) You don't know who is behind the VPN company.  For example, a significant number of Tor nodes are secretly run by governments specifically for eavesdropping purposes.  I'd say it's a safe bet that the same is true for VPN providers.  CIA should not be synonomous with ISP no matter what business you are in.  Same goes for China.

https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/

b) If your VPN provider goes down, so does your business.  An external VPN is an unnecessary extra loop in the network and you're dependent on that loop being up 24/7/365.

c) Does it make sense to route your network traffic through a VPN that may be exiting in Poland this week, Russia next week, Hong Kong next week, Africa the week after that, with varying latencies and reliability?

The goal is not to allow people to connect to the office remotely.

Then put good hardware encryptors at each remote location and change the keys regularly.  Periodically audit whether the encryptors are still physically secure.  Create a list of allowable IP blocks and MAC addresses and allow no others through your firewalls.  Use GeoIP blocking to lock out any part of the world where you don't have a presence.  Over the long run these things are cheaper and every piece is under your control.

Side note:  If you're worried about security, first consider whether you have WiFi enabled on your network.  If so, disable the WiFi first.  That's a far bigger hole and one that a truck can be driven through.
Ugra Narayan PandeyCloud Security Expert

Commented:
I am using Nord VPN paid version, as per my opinion using VPN some time not secure because even you don't know what happens behind the wall. Because when we secure our endpoint devices most of connected with a define IP address (Your office IP address) but when we use VPN service these security policies stop working meanwhile.

So, your concern is right, using VPN services not secure.
Distinguished Expert 2018

Commented:
Dr. Klahn wrote a number of good points. I'll try to add some more.

The goal is to make it harder for attackers to break in to the office through the Internet.
Having sound security policies is one of the first things. Harden your systems. Make sure not to leave any unnecessary services enabled.  If you're hosting externally facing systems , then you need to take appropriate measures. For example, if you're hosting a website, then you better be using SSL certificates and only allowing TLS connections. Also, you should have a WAF and DDoS protections in place. And have that web server ONLY accept connections from your WAF.

The goal is not to allow people to connect to the office remotely.
Notice you said you don't want to allow people to connect remotely, which is different than you don't want to allow unauthorized remote connections. If you haven't granted users access to your own VPN, that's one major boost. Not allowing inbound RDP connections to systems on the network is another. (Then again, you shouldn't be allowing any unauthorized connections from the outside) Preventing users from installing software on their computers is also going to be another major step, because someone *will* try to throw on an application such as TeamViewer. Also block access to these types of services at the proxy (if you use one) or router level. If your goal is not to allow unauthorized connections, then I would try to implement MFA on systems that require remote logon (i.e. your own VPN, webmail, etc).

The line of thought is that forcing all office Internet traffic through a VPN would make it harder for an attacker to target the office because the VPN would make the office Internet connection anonymous.
Harder maybe to trace for many maybe. Purely anonymous.... good luck. See Dr. Klahn's comments.

Sending out traffic via a VPN service isn't going to change where you're sitting to begin with. So if someone was just scanning public IP addresses, yours is going to get found sooner or later. You're really not solving any issues.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

David FavorFractional CTO
Distinguished Expert 2018

Commented:
No.

Because VPN provide no additional security over SSL.

VPNs only provide slower network connections.

VPNs will never protect agains hackers breaking into machines.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
The only way a hacker can break into a machine is if the machine is running some software which can be hacked.

Over the past 20x years Linux Kernels have had a few zero days.

Windows on the other hand... wow... you can search the vulnerability databases for all the Windows hacks.

If you really consider your best protection.

VPNs offer nothing. Never have. Never will.

Switching to running only Linux + OSX (Macs), to me, is far better.

Since I switched... Almost 20 years ago now, I went from being hacked continually, to not a single hack since I switched.
NordVPN and other services like it are an external privacy VPN and a redirect VPN.  They are not meant to  provide security.  They are meant to protect you from the prying eyes of the web site to find your IP and attempt to geolocate you.  If you visit a banking site, you are wasting your VPN access.  Security is provided by the SSL connected site that you visit.  This is different than a dedicated office VPN.

The dedicated office VPN secures the connection between an external remote system of your choosing to your internal office networks.  It's for securing your internal office networks.  These provide privacy from external attacks and secure your workplaces confidential information from prying eyes.  They are meant for different things and operate differently.

Author

Commented:
Thank you everyone for your comments.  It may sound silly of me to ask at this point, but does using an external privacy VPN (like NordVPN) for business Internet access provide any security benefits?

Author

Commented:
In other words, does using an external privacy VPN do anything to help keep hackers out -- even considering the potential that it may be providing "security by obscurity"?
No.  That's not what it's for.
Distinguished Expert 2018

Commented:
In other words, does using an external privacy VPN do anything to help keep hackers out -- even considering the potential that it may be providing "security by obscurity"?
The only thing you'd be remotely obscuring is your location, and that may cause you issues. So you'd potentially be causing more issues than you'd be solving. However, someone scanning the internet for open ports on your firewall is not going to get misdirected by your VPN use because they're not even paying attention to that traffic to begin with. They're more generally looking at IP addresses to target. There was a reason why I posted this in my last comment: "Sending out traffic via a VPN service isn't going to change where you're sitting to begin with. So if someone was just scanning public IP addresses, yours is going to get found sooner or later. You're really not solving any issues."

Author

Commented:
Thank you all for the help.

Commented:
for me, i will increase the security such as the vpn login only touch minimum IP range and port, and will extra login authenication on some software such as remote desktop

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial