Data Privacy. Without a VPN your raw data is transmitted over the wire. Your ISP can glean information such as the websites you visit and how often you visit them. While they can’t necessarily see the data you are transmitting such as your home address and credit card numbers just knowing the site you visited is enough to make an educated sell. They can tell if you’re in the market for a new car but they can also tell if you’ve been diagnosed with some exotic disease. Yes, that’s the hard truth. Do they inspect this data? Yes. It’s how they advertise to you. In some cases, we don’t know what they do with this data. Are they selling it to third parties? Yes. It happens. At Cyber Defense Contractors we take privacy seriously. We’ve seen the effects of being exposed on the internet and do all that we can to protect our clients from falling victim.
The analogy we like to use is this. If you were in the market for a new car you would begin by searching the make and model on a search engine. Nearly immediately a back-end set of servers will go into action and present you advertisements for a new car. They’ve associated you with the interest in that car. What if you performed that very same search and within a few minutes heard a knock on the door? It’s a gentleman who begins by telling you he’s with such and such dealership and happens to have the very car you were searching for right there in front of your house. Would you like to go for a test drive? If you’re not sketched out by that you’re not human. It’s no different. Slightly less invasive but really no different.
A VPN is necessary when using a public Wi-Fi hotspot. Why? Hackers can pretend to be the W-Fi- hotspot you connect to. Your traffic is then forced through their machine unencrypted and before it hits the internet. They use readily available applications that can glean usernames, passwords, credit card numbers, and the like. They have access to your personal data. A VPN is a must if you connect to a public Wi-Fi hotspot.
Is it necessary over your home or business ISP’s internet connection? Yes. In order to shield your private web surfing from the ISP a VPN will obscure the traffic so the ISP has no visibility into it. A solid VPN provider will also carry your DNS traffic which is where the sites you visit would be gleaned. Your search engine queries are tracked which carry the keywords you are searching for. The next time you look up that exotic disease you just might see an ad for its medication on the next website you visit 🙂 If Comcast is your ISP and also your Cable TV provider you just might see a commercial for it. Right?
MAINSTREAM VPN’S COMPARED, PROTONVPN vs KASPERSKY SECURE CONNECTION
Virtual Private Networks offer privacy for your network communications. There are a slew of service providers all offering similar services. We perceive the VPN market as a bit sketchy in and of itself because there are a lot of providers laying claims to things they can’t do. We know of one provider who claimed to have 40,000 VPN servers. That’s too unbelievable. Some do come with enhanced privacy features. In this post we sought to compare the available bandwidth of two of the most prominent VPN services.
ProtonVPN based out of Switzerland is a VPN service whose webpage states “High-speed Swiss VPN that safeguards your privacy”. Being based in Switzerland means certain rules apply that help prevent inquiries into its customers and the data they transmit on the wire. Note that I used the word “help”. One must read the fine print. It is difficult, albeit possible, to request this information through a Swiss court order. Whether ProtonVPN has any information to give is another story. They do not track any information about you when communicating through their servers so generally there is nothing to give.
Its email service enjoys a similar benefit. The data at rest is encrypted. Only you have the passphrase. All email in transit between ProtonMail customers is also encrypted. They have other measures to ensure email is encrypted to those that are not customers of ProtonMail. We could talk in depth about only one side of an email conversation being encrypted but we’ll keep that for another post.
Kaspersky Secure Connection is another VPN provider. The application works on desktop and mobile platforms as does ProtonVPN. It recognizes when you’re connected to an unsecure public network. Once recognized it offers to bring up the VPN to secure your connection automatically.
VPN COMPARISON TESTS
Both VPN’s serve the same purpose. They protect your data in transit. To be sure we were not placing any load in path between the Ookla Speed Test application and its destination server we connected our ISP to a modem and then directly to a laptop. No router, switch, firewall, or IDS was in between. The modem is capable of 6 Gbps and our network interface card is capable of 1 Gbps.
As a baseline we tested general ICMP echo response using a simple ping to a server we own located in the Amazon AWS cloud. It’s in the US East. Before performing the test we gauged what kind of bandwidth we would see out of Amazon’s AWS Free Tier with iPerf. The results? We were capped at 50 Mbps. We are unaware if this as a hard limit on the Free Tier or if this is associated with the size of the server one would select. Maybe someone from Amazon can comment. This does not impact our results as we’re only measuring ICMP echo response to that server.
The bandwidth tests were performed using Ookla’s Windows Speed Test application. We avoided their web-based client. Running such a critical test through a browser isn’t a great idea. Browsers were not designed to host applications like that. They’ve come along way, but again, they were not designed to host this type of application. Enough about that.
Our own dedicated internet connection is at 350 Mbps downstream and 35 Mbps upstream. We started with a traceroute to get a visual on our path. The results are below:
BASELINE TRACEROUTE TEST
You’ll notice a firewall or proxy is blocking our traceroute after IPv4 18.104.22.168. According to the Hurricane Electrics Looking Glass this IPv4 belongs to AS7922 and is part of Comcast’s internet backbone.
BASELINE PING TEST
A ping to the IPv4 address shows adequate results. As a baseline we have a solid internet connection to perform our bandwidth tests with.
BASELINE BANDWIDTH TEST
The below is a measure of the max bandwidth our ISP has allotted to us. We are seeing a degradation of service of about 120 Mbps less downstream than we have seen previously.
The above was to the iboss server in Boston.
The above was to the Comcast server in Boston.
The above was to the Starry, Inc. server in Boston.
Because the three servers are showing similar bandwidth the degradation is the network (AS) local to me. That being my ISP.
ProtonVPN OPENVPN UDP, US NORTHEAST BOSTON TO US NORTHEAST NEW YORK CITY
Cyber Defense Contractors HQ is in the Northeast United States, so our first test was to a ProtonVPN server located in the same region. We chose US-NY#14 at IPv4 22.214.171.124. We manually selected the OpenVPN UDP protocol rather than allowing it to auto select. The US-NY#14 server was at approximately 45% load. The Ookla destination server was also in New York City. We saw 35.90 Mbps downstream and 34.33 Mbps upstream. Results we were happy with. We’ll talk more about that later when we discuss general bandwidth requirements.
ProtonVPN OPENVPN TCP, US NORTHEAST BOSTON TO US NORTHEAST NEW YORK CITY
For kicks we did a test using TCP rather than UDP. We used the same servers. The server was still at 45% load. We saw higher latency but similar throughput. The higher latency isn’t a result of using the TCP protocol. We saw 37.59 Mbps downstream and 34.00 Mbps upstream. Again, results we were happy with.
ProtonVPN OPENVPN UDP, US NORTHEAST BOSTON TO US WEST LOS ANGELES
We picked VPN server US-CA#19 at IPv4 126.96.36.199 and located in Los Angeles, California. Our Ookla Speed Test server was also in Los Angeles, California. Here, we are crossing the country. We still saw respectable results of 33.62 Mbps downstream and 34.18 Mbps upstream. Our latency falls in line with the relative geographic location of each server. Keep in mind that we’re capped at 35 Mbps upstream by our ISP. Actual upload results could be significantly greater than what our tests are able to gauge.
ProtonVPN OPENVPN UDP, US NORTHEAST BOSTON TO ZURICH, SWITZERLAND
We picked server CH#10 at IPv4 188.8.131.52 in Zurich, Switzerland. The server was at about 52% load. The Ookla destination server was also in Zurich. We saw 24.97 Mbps downstream and 30.56 Mbps upstream. Given the proximity of the A and Z ends these are more than respectable results.
Kaspersky Secure Connection didn’t afford us the luxury of picking servers located in different states or regions within a selected country. We got whatever server the application. This gave us a bit of an impression. The application is intended for the home user. It appears to be more of a consumer grade service than a business grade service. That’s not to say a business would not use this and get desired results. We’re merely speaking about the application and it’s front-end which doesn’t necessarily project anything good or bad about what’s happening on the back-end.
Although we don’t know where we are connected, we can glean this information with just a little work.
Right off the bat we’re seeing considerably higher ICMP echo response to the Amazon AWS server.
Our traceroute wasn’t allowed out of the machine. It was being firewalled by the Kaspersky Secure Connection application.
However, duckduckgo tells us what the VPN server IPv4 address is. It also tells of the location. This is mostly, if not entirely, responsible for the high ICMP echo response. This is normal and doesn’t reflect upon Kaspersky Secure Connection at all. Traffic is routed through San Jose, California and then back to the AWS server in the Northeast.
KASPERSKY SECURE CONNECTION, TCP OR UDP?
We were left in the dark as to whether UDP or TCP was being used. In fact, we didn’t really know what VPN protocol the application is using. Keep in mind this is consumer grade so having the information I’m mentioning readily available isn’t really necessary. The VPN appears to be running over TCP and using TLSv1.2 encryption.
KASPERSKY SECURE CONNECTION, TCP US NORTHEAST BOSTON TO US WEST SAN JOSE
The result of the Ookla speed test was good. While connected to IPv4 184.108.40.206 in San Jose, California we saw 38.29 Mbps downstream and 27.53 Mbps upstream.
KASPERSKY SECURE CONNECTION, TCP US NORTHEAST BOSTON TO ZURICH
When connected at IPv4 220.127.116.11 in Zurich, Switzerland and saw modest but more than acceptable results of 26.45 Mbps downstream and 33.93 Mbps upstream.
These test results prove more than adequate for both to be considered consumer grade. In many cases either VPN service will work for the small business.
THE STATE OF BROADBAND
As of this writing, if you’re not a mid-market or large enterprise, you really don’t need much more than 10 Mbps downstream. Typically, you’ll get 5 Mbps upstream with your internet plan. Both will meet the demands of most of what you want to do. In the US, broadband is considered at least 25 Mbps downstream and 3 Mbps upstream per the FCC. What’s of significance to Cyber Defense Contractors is the upstream figure of 3 Mbps. We feel it’s an often-overlooked value. Bravo to the FCC. The US had not been keeping pace with other countries but now is. ISP’s had no need to adopt higher speeds because nothing was pushing them. Not even the coming adoption of OTT video pushed them. Upping speeds means infrastructure changes. It would have impacted their bottom line. Business is business.
HOW MUCH BANDWIDTH IS ENOUGH?
The number of users is NOT the sole benchmark that should be used to judge how much bandwidth you need. Unless you foresee five or so users watching high definition video simultaneously on separate devices you don’t need more than the 10 Mbps downstream I mentioned. Right now, a single video stream is typically going to require 1.5 Mbps to 3 Mbps.
The number of clients is often used by ISP’s when guiding customers on what plan to purchase. In most cases, one can forgo that guideline because there’s much more to the equation. I’ve heard statements such as, “for 10 users you need 300 Mbps downstream”. Early in my career, I had 300 users running off a T1 at 1.45 Mbps. Were they streaming video? No. But everyone was surfing the internet and complaints were few and far between. The likes of 300 Mbps is a lot of bandwidth. It’s well positioned for the introduction of 8K video streaming but still may very well prove to be more than what is needed. It’s too much to pay a premium for now. Unless you’re providing an internet service that requires the associated upstream bitrate. ISP’s do not have a la carte plans when it comes to downstream and upstream for consumer grade or small business grade plans. You may need the bandwidth on the upstream side if you’re sending your data back-ups or surveillance video to the cloud. Still, you probably do not need more than the 5 Mbps they give you on the lower priced plans. Video at the egress is going to stream at the typical 1.5 Mbps – 3 Mbps bitrate. Your data back-ups at the egress are probably “differential” so it would be a reach for you to need more than 5 Mbps.
For the small to midmarket business it all depends on what they’re doing with their technology and their use of the internet or private network. If you are networked with business partners, it becomes a different story. Your bandwidth requirements should then be assessed by a professional. Most ISP plans come with contracts these days. Don’t get locked into something that is too much especially if you’re on a budget.
WHAT ABOUT THE HOME USER?
If you’re a home user, you can stream Hulu or Netflix over 10 Mbps. Really? Yes. Some of you may have done it with your mobile hotspots. However, you probably quickly learned that mobile providers don’t have hotspot plans that fit this scenario well. With 30 Gbps and 50 Gbps data caps you’re going to run out of data quickly. The introduction of 5G service isn’t going to prove any better considering what we’re seeing from T-Mobile. Their 5G plans are still capped at 50 Gbps although their bandwidth is more than 10-fold what 4G can provide. Boost Mobile offers a 4G service such that if you hit your cap you can “re-up” by paying for your monthly plan early and get another bandwidth allotment. Your recurring monthly payment date is then adjusted. This seems like a prudent business strategy and if not already adopted by the other providers it may be adopted in the near term. What is it that they know? They know you’ll oversubscribe your plan. T-Mobile is inching closer to blanketing the US with 5G but with caps like that it doesn’t have the shine we had hoped for. As an aside, Boost Mobile is a subsidiary of Sprint so technically would become part of the new T-Mobile. We will eventually see 5G caps move upward as the mobile providers begin targeting the home user and small businesses. Mobile providers such as Verizon, AT&T and the new T-Mobile will be competing directly with Cable providers like Comcast, and Cox. Still, 100 Gbps and 200 Gbps caps are possible and don’t sit well with us. Either way there will be caps so don’t cut the cord just yet.
It’s also worth considering that with 4G and 5G communication we’re dealing with radio’s rather than wired connections. This is wireless after all. Packets transmitted over radio’s have their own negative characteristics, so it won’t necessarily be a primary solution for latency sensitive applications. I could be proven wrong on that. Additionally, the perspective of Cyber Defense Contractors has always been that wireless communications should be avoided if possible. It creates a large attack surface without walls as barriers. Think about that.
The 1 Gbps plans that the Cable DOCSIS 3.1 standard is providing is going to provide the bandwidth necessary for at least a decade. Companies like Comcast are locked in. However, in the event that the small to midmarket enterprises start requiring greater than 1 Gbps, which I do not foresee happening in my lifetime, it appears DOCSIS 3.1 and DOCSIS 4.0 are ready. They can provide 10 Gbps downstream data rates with 1-2 Gbps upstream and 10 Gbps upstream respectively. Fiber providers, like Verizon FIOS, and Google Fiber will be able to provide that bandwidth too.
The bandwidth available is superseding the need at this stage. Unless you’re talking about the data center, cloud services, and the large enterprise you don’t need much. Consider that some midmarket and all large enterprises are more likely to purchase discrete lines or ethernet services (MPLS, DMVPN, etc…). To the home consumer, the small business, and most midmarket businesses they don’t need that kind of bandwidth.
YOUR CHOICE OF A VPN PROVIDER
ProtonVPN boasts of unlimited bandwidth, but our testing tends to suggest something else. It appears that there’s a per user cap of about 30-40 Mbps downstream. It is in our opinion that no service could offer unlimited bandwidth otherwise a single user, like myself, could consume enough resources to limit the number of users who could access that VPN server. It also opens up a sever to a DoS or DDoS attack. So, logically, a VPN provider would not offer unlimited bandwidth.
For those who are more tech savvy and want to steer their traffic through a specific city in a specific country they’ll be best off with ProtonVPN. They’re located in 40+ countries and manage 690+ servers. The features provided by ProtonVPN are too many to mention. ProtonVPN has a No-log policy, meaning, that your internet activity through their servers is not tracked in anyway. They state on their website that Switzerland is outside of both the EU and US jurisdiction and is not a member of the fourteen eyes surveillance network. Another benefit to ProtonVPN is its multi-platform support. It has native applications for Android, iOS, MacOS, and Windows. It also supports Linux with a Python based client. For complete anonymity you can upgrade to make use of their Tor servers. It also has integrated DNS Leak Prevention so your DNS queries can’t escape the secure and encrypted tunnel. Another nice feature is their Transparency Report & Warrant Canary page. Transparency is good. Pricing ranges from about $50 USD/yr. to $100 USD/yr. for their Basic and Plus plans. They also have a Visionary plan that includes email for $300 USD/yr. For available packages see their ProtonVPN pricing page. In addition to their Headquarters in Geneva, Switzerland they do have an office located in San Francisco, California. Two nice benefits worth mentioning is that their core servers are in a military bunker 1,000 feet down and their ProtonVPN apps are open sourced. Because they are open sourced it means they are audited by the open source community (no back doors).
Kaspersky Secure Connection is the less expensive of the two with current pricing at $29.99 USD/yr. for up to 5 devices. Like ProtonVPN Kaspersky does not log your internet activity through their servers. Kaspersky Secure Connection supports Windows, Mac, iPhone, iPad, and Android. Information is extremely limited but see their pricing page.
CAN A VPN BE HACKED?
Well, we wouldn’t necessarily know. We’ve never done it nor would we try. Cyber Defense Contractors, as an organization, primarily acts in a blue team role. However, there’s not much to stop an intermediary server, also known as a Man-in-the-Middle, from accepting your connection only to connect to the real VPN server on the other side. We, at one time, believe we saw something similar by way of an SSL downgrade attack. We could not confirm. If a server certificate is stolen or duplicated this can be achieved. However, that is not how encrypted tunnels are typically hacked. The hacker targets the host machine. That’s your laptop or computer. Once in the host it doesn’t matter that your encrypting your traffic or not because the hacker is viewing what’s taking place directly on your machine.
One issue to be aware of with any VPN is the purchasing of goods online. If on a US based eCommerce site while connected to a VPN server located in another country you may have an issue. Your transaction will likely be flagged because the IP will not match the country of the shipping/billing address. We ran into this issue. Our Amazon account was quickly shut down. There wasn’t much of an explanation. So, if you intend to make a purchase in the US simply disconnect and reconnect to a VPN server in the US.