0

There may be a basic flaw in my understanding of how the internet works so sorry if this is a simple question. What type of attack does VPN protect against? For example if a local area network (let's call it alpha) needs to connect to local area network (let's call it beta) that is in a different city, often VPN is used. But why? Let's say it wasn't. Then packets are sent from alpha, they go through alpha's router to the ISP, the ISP sends the to beta's router, and then beta has them. I assume the ISP is fairly secure, for example a person can't easily sniff packets inside the ISP. So at what point does having a VPN that encrypts packets actually become useful? Is it that after packet's leave alpha's router they actually pass through a series of public server before they reach the ISP or something like that?

EDIT: let me reword the question. IP suite guarantees that a packet with destination address xxx.xxx.xxx.xxx will be delivered to xxx.xxx.xxx.xxx. Obviously if the sender or receiver is compromised by a hacker then the hacker will know the contents of the packet but the point of VPN is to secure the packet is in transit. But where in transit is it week without encryption? For example even if a hacker knows the IP address of a router that the packet will pass through he can't trick the router into giving him the packet, or can he? Is the argument we don't know who owns the router so it could have been tempered with so the owner is sent a copy of every packet?

Basically I'm saying if IP already sends it to one specific recipient, why is VPN needed?

Celeritas
  • 10,089
  • 22
  • 79
  • 144
  • 1
    they actually pass through a series of public routers between alpha and beta. – Ulkoma Nov 25 '14 at 08:37
  • @Ulkoma ok. So are they public routers they pass through between the home router and the ISP? Who owns them, for example are they technically property of the ISP and are just lacking security so anyone can eavesdrop on them? – Celeritas Nov 25 '14 at 08:47
  • 1
    They belong to a third ISP that alpha and beta have an agreement with. I work for that ISP and in my lunch break I enjoy eavesdropping. Can you risk that? or your information isn't that important to you – Ulkoma Nov 25 '14 at 08:58
  • "They belong to a third ISP" how do you count third? alpha has an ISP, beta has an ISP (though it may be the same as alpha), and now you're saying yet another ISP owns the public routers? – Celeritas Nov 25 '14 at 09:01
  • Alpha and Beta has no physical connection between them but both have an agreement with a third ISP and they use it as a middle man. You trust alpha and beta but you had no idea there is a middle man, that's public to you – Ulkoma Nov 25 '14 at 09:07
  • @Ulkoma why do you find it necessary to use the word "third"? For example, if I were to replace all the times you say "third ISP" with just "ISP" what difference would it make? – Celeritas Nov 25 '14 at 09:09
  • Cause you don't know them nor trust them. You trust alpha but do you trust who they trust? If this was the case I trust the entire world – Ulkoma Nov 25 '14 at 09:17
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/18954/discussion-between-ulkoma-and-celeritas). – Ulkoma Nov 25 '14 at 09:31
  • [This might be a useful read.](http://security.stackexchange.com/questions/72679/differences-between-using-tor-browser-and-vpn/72729#72729) – RoraΖ Nov 25 '14 at 15:41

4 Answers4

1

The internet is a mesh of telecommunications lines run by different companies which are leased by ISPs which use them to sent traffic from customer to customer. Any one of the ISPs or telecommunications companies can sniff the traffic that goes over their lines or network devices in ways you cannot detect. Some governments have forced (or paid) ISPs to install traffic sniffing devices to collect traffic going through their networks, and others could have been breached by state sponsored or organized crime funded hacking groups.

There's really no assurance that anything going over the web is in any way secure, which is why companies use VPNs to encrypt traffic between offices and SSL is used for websites to protect browsing traffic.

GdD
  • 17,321
  • 2
  • 41
  • 63
  • Ok so if you pay AT&T for your internet connection, it may pass through telecommunication devices not owned by them? In that sense what difference does your ISP make, if you're paying them and using equipment they don't even own? – Celeritas Nov 25 '14 at 09:39
  • @Celeritas equipments they don't own doesn't mean that they are insecure. Also the have to spent money to use such rquipments and in turn you have to pay a share of which to the ISP since you are using their share. – Anandu M Das Nov 25 '14 at 09:56
  • 1
    An ISP only gives you an entry point to the internet @Celeritas. The internet is made up of thousands of ISPs, office A may be connected to a different one than B, and traffic between may transit several other providers in between. – GdD Nov 25 '14 at 10:01
1

I will restrict this to only gateway to gateway VPNs - there are additional potentially higher risk considerations for client to gateway VPNs.

A connection to the Internet will be via an ISP and therefore the end points of a route between two organisations will generally be known; if the ISP(s) have implemented controls that provide confidence that their kit is secure and their staff will not abuse their privileged position, it is possible that the risk of compromise at the ISP may be considered acceptable (particularly if supported by contractual conditions and penalties for any compromise on the ISPs infrastructure - though how this would be enforced is a whole different question).

However, the network route between ISPs is generally speaking going to be unknown and dynamic. Routing protocols are used to determine the route a network packet will take across a network, which will depend on many factors, but it is fair to say that for traffic sent across the Internet the interim hops will be on devices that are outside the control of the direct ISPs. Anyone with access to these interim devices can view/alter the contents of the traffic.

In most scenarios when providing a connection between two LANs it makes sense to configure a site to site VPN to prevent the various man in the middle attacks that would be possible at the untrusted nodes.

R15
  • 2,943
  • 1
  • 12
  • 21
  • So in a really short nutshell, since the routers and servers the packets pass through are owned by people you don't know they could have been setup in a way to read your packets? – Celeritas Nov 25 '14 at 12:08
  • In a nutshell...yes. – R15 Nov 25 '14 at 12:12
  • Anyone with access to the cable, or in the vincinity of the transmission path in case of microwave towers, can also read the packets... – Bruno Rohée Nov 25 '14 at 12:17
0

If you believe that the traffic through the ISP is safe enough to protect your data then why do you use https in facebook and gmail? simple http shall do, right?

You have to understand so many attacks including sniffing and tampering of data in order to understand the concept more clear. Read this to understand why you are recommeneded to use https always.

Coming to the case of VPN, it actually creates an https like connection between the clients who are using the same VPN connecton by encrypting all your data, making your communication in the VPN network secured.

Anandu M Das
  • 1,995
  • 15
  • 31
  • 46
  • A huge pet peeve of mine is using metaphors to explain things. They should only be used in the most complex of examples. For instance, in the article it says using WEP to secure wifi is like speaking in pig latin. This basically says nothing. – Celeritas Nov 25 '14 at 10:49
-1

It's all based on the assumption you make being false. Which in practice is the good one to make. An ISP jobs is to to move packets fast and cheaply. Ensuring their security (integrity, confidentiality) is not something they can do without using what you would call VPN technologies.

And if you're not paying for it, they sure ain't doing it.

Bruno Rohée
  • 5,351
  • 28
  • 39