My favorite client sent me an Engadget article the other day about Netflix and its war against VPNs. Netflix has begun blocking users who try and bypass country-based content restrictions by using proxy services such as a VPN.
As the article states, “Netflix is trying to protect copyright, local distribution rights and contracts. It would be a totally reasonable idea if the only people who used VPNs were a minority of duplicitous streaming thieves, trying to sneak a peek at Doctor Who in Malaysia.”
The article then goes into detail as to why this is a serious security problem. Basically many users, myself included, use VPNs as a way to secure our network traffic while on a public Wi-Fi (or hardwired) network. In fact, at a SonicWALL (network security) meeting a few months ago, the presenter gave out a Wi-Fi password for the room we were in. What he didn’t tell everybody is that he was using the SonicWALL to monitor what Websites people were going to, how much time they spent on them, etc.
Later, he proceeded to embarrass some in the crowd who were apparently more interested in Facebook than what he was lecturing on. I asked him what he had on me. All he got was phase 1 of my VPN handshake. That was it.
This is because I was using the VPN to encrypt all of my Internet traffic so that prying eyes couldn’t see anything.
Remember that when you’re on somebody else’s network, especially an unencrypted public Wi-Fi network, your Internet traffic can be read easily. If it’s unencrypted someone can go so far as to read your emails, Facebook messages, passwords, etc. It’s ridiculously easy and many people do this just for fun at places like coffee shops and Internet cafés.
Of course, some people do it for more nefarious purposes and there are relatively cheap tools you can purchase to do this and do it well. One of the best tools is an “auditing” device known as the Wi-Fi Pineapple. I could write an entire article on just this device and its available accessories, but suffice it to say that in the wrong hands it can do some serious damage.
The Danger of Netflix’s VPN War
So why is Netflix’s VPN ban a security problem?
One of our founding fathers, Benjamin Franklin, famously said, “Those who give up essential security for temporary Netflix deserve neither security, nor Netflix.”
Well he didn’t really say that though it does sound like something he would have said. The problem is that people who want to enjoy their Netflix service while in a hotel, coffee shop, or any shared environment – locally and legally — now cannot do so anonymously and safely with data encrypted.
You have to make the choice between Netflix and safety. I would choose not to watch Netflix but I’m sure there are a LOT of people out there that would choose the alternative.
The Engadget article goes into great detail about the Netflix action, why it won’t last, and why people are in an uproar over it.
The Value of VPN: Coming and Going
For our purposes, though, I want to discuss the underlying technology that allows this VPN scheme to work, whether for purposes of cheating Netflix or for securing yourself from hackers.
I know of many people who pay for VPN accounts online such as HideMyAss just because they want to watch TV from their home country but can’t if they do it from a U.S. IP address. I’ve also heard that Netflix in the U.K. has a better selection than Netflix here, and we’ve had requests from clients to set up a VPN to a client’s home in the UK so that they can watch their services from their home in the U.S.
Companies use VPN services not just to enable remote access to company resources, but also to ensure their company data is safe.
They do this by creating a “Group Policy” that forces the company laptop to automatically connect to the company VPN upon logging into the machine. Then, ALL Internet traffic is routed through the remote network, and ALL incoming and outgoing traffic is scanned by the company firewall.
This configuration protects sensitive data but it can also keep the remote laptop protected by anti-virus, anti-spyware, and intrusion attacks as it has the power of the corporate firewall protecting it.
Now this may be slightly confusing for many integrators who might implement VPNs into a home solely for the purpose of forwarding traffic destined for the home through the VPN. All other traffic would go directly to the Internet over the local connection.
In other words, what we see in the residential world is that if someone tries to VPN into their home to view their camera system via a local IP address such as 192.168.21.50, the traffic will automatically go over the VPN connection because it recognizes the subnet we’re trying to connect to. If we try and access Google.com the traffic will just go through whatever ISP we’re using at the moment.
This benefits us because VPN connections can be slow due to the overhead involved in encrypting traffic. We want to browse quickly and don’t need our traffic routed halfway across the U.S. just to browse from our remote firewall.
Or do we?
This is a choice that most people don’t know they have and a good selling point for a good firewall and VPN solution for a client.
Yes, VPNs can be extremely useful for us to remote into a house to program a Crestron system or to view cameras without making our system available to the outside world. However, they can also be useful for the reasons mentioned earlier.
Whether you want to use an IP address from another location or whether you just want to encrypt your Internet traffic, a VPN is the way to go.
Virtues of Split Tunneling
The one thing that determines whether all of your Internet traffic goes through the remote firewall via VPN — or whether only the local subnets you’re trying to access goes over the VPN — is what is called Split Tunneling.
Split Tunneling is one of the things we teach in CEDIA’s EST423 (Remote System Access: Methods, Security & Best Practices) course. I highly recommend it and all of the networking courses offered by CEDIA if you want to get a better handle on all things residential networking.
If split-tunneling is enabled on a VPN it does exactly as the name implies. It splits the VPN tunnel so that only traffic going to the (remote) local subnets is passed through the VPN. If Split Tunneling is disabled, then all traffic passes through the VPN whether it’s aimed at a remote subnet or CEPro.com. On our systems we enable Split Tunneling by default to ensure the fastest browsing experience possible unless a client requests any of the services mentioned above.
Remember, this can be a valuable upsell to a client for all of the reasons mentioned above. There are a few more though. They can browse using the full security of their firewall, protecting them from threats just as a corporate firewall would. On top of this, unlike the online services whose governments have a “mandatory retention” law (storing your personal data for a specific amount of time), your personal firewall will not need to store your data to be used against you by whatever arm of the government wants to come checking.
Your logs will probably only last a couple of days at most anyway. After all, it’s not like you’re Hillary Clinton with a private firewall and private server, though I’m sure that’s why she decided to go that route in the first place. 😉