Safeguard
Best Practices

What is a VPN

A plain-English breakdown of what a VPN is, how it encrypts traffic, and why VPN gateways have become one of the most exploited attack surfaces in enterprise networks.

Michael
Cloud Security Architect
7 min read

A VPN, or virtual private network, is a system that routes your device's internet traffic through an encrypted tunnel to a remote server, masking your IP address and shielding data from anyone monitoring the network in between. Corporations have used them since the mid-1990s to let remote employees reach internal systems as if they were plugged into the office LAN; consumers use them to hide browsing activity from ISPs and to bypass geographic content restrictions. The core technology relies on tunneling protocols — IPsec, OpenVPN, or the newer WireGuard — that wrap your traffic in an encrypted layer before it leaves your device. But a VPN is not a silver bullet: it protects data in transit, not the endpoints on either end, and the VPN gateway itself has become one of the most exploited pieces of infrastructure in enterprise networks, with dozens of critical CVEs disclosed against major vendors since 2019.

What is a VPN and how does it actually work?

A VPN works by establishing an encrypted tunnel between your device and a VPN server, then routing all your traffic through that tunnel so intermediate networks — your home Wi-Fi, your ISP, a coffee shop hotspot — see only encrypted packets addressed to the VPN server, not your final destination. The client on your laptop or phone negotiates a shared encryption key with the server using a protocol such as IKEv2/IPsec or WireGuard's Noise protocol framework, then encapsulates your normal IP packets inside new encrypted packets. The VPN server decrypts them, forwards them to the internet (or to an internal corporate resource) on your behalf, and relays responses back through the same tunnel. This is why your traffic appears to originate from the VPN server's IP address rather than your own. Enterprise deployments add authentication layers — often RADIUS, LDAP, or SAML — so the VPN concentrator can verify identity before granting network access, which is exactly the point in the chain that attackers have targeted most aggressively over the past five years.

How does a VPN protect data in transit?

A VPN protects data in transit through symmetric encryption negotiated at tunnel setup, typically AES-256-GCM for the data channel and either RSA-2048/ECDSA or WireGuard's Curve25519 for key exchange. Once the tunnel is up, every packet is encrypted before it leaves the device and decrypted only at the VPN endpoint, so a passive attacker sniffing traffic on an untrusted network — say, a hotel Wi-Fi network with no WPA2 password — sees only ciphertext. This defeats man-in-the-middle attacks that rely on packet inspection, and it stops ISPs from logging plaintext DNS queries or HTTP requests. It does not, however, protect against malware already running on the endpoint, phishing that steals session cookies after the tunnel is established, or a compromised VPN gateway itself — which is precisely the failure mode behind incidents like the January 2024 Ivanti Connect Secure compromise (CVE-2024-21887 and CVE-2023-46805), where attackers chained an authentication bypass with a command injection flaw to plant webshells on more than 2,100 internet-facing appliances before a patch was available.

What are the main types of VPN, and which one applies to your organization?

The two main types are remote-access VPNs, used by individual employees connecting from home or on the road to a corporate network, and site-to-site VPNs, used to permanently link two office networks or a data center to a cloud VPC over the public internet. Remote-access VPNs are what most people mean when they say "VPN" — a client app on a laptop connects to a gateway appliance like a Cisco AnyConnect, Palo Alto GlobalProtect, or Fortinet FortiGate concentrator. Site-to-site VPNs, by contrast, run continuously between network devices with no per-user client, commonly using IPsec in tunnel mode, and are how many enterprises connect branch offices to AWS or Azure without routing traffic over the public internet unencrypted. A third category, SSL/TLS-based VPNs (sometimes called "VPN portals"), lets users reach specific internal web applications through a browser without installing a full client — Pulse Secure and Citrix Gateway both offer this mode, and it was the exact surface exploited in the widespread 2019-2021 Pulse Connect Secure attacks (CVE-2019-11510), which the NSA and CISA later confirmed nation-state actors used to harvest credentials from more than 24 agencies and companies before patches were applied.

Why has VPN infrastructure become such a high-value attack target?

VPN infrastructure has become a high-value target because it sits at the network perimeter with privileged access to everything behind it, so a single unpatched appliance can hand an attacker a foothold across an entire internal network. CISA's Known Exploited Vulnerabilities catalog lists more than 30 VPN-related CVEs added since 2021 across Ivanti, Fortinet, Citrix, SonicWall, and Cisco products, and several — including CVE-2022-40684 in FortiOS and CVE-2023-27997 ("Xortigate") in FortiGate SSL-VPN — were being actively exploited in the wild before public disclosure, giving defenders zero days of advance warning. The pattern is consistent: these appliances run closed-source, infrequently patched firmware, are internet-facing by design, and grant broad network access once authenticated, which is why ransomware groups like Akira and LockBit have repeatedly listed unpatched VPN gateways as an initial access vector in their own affiliate recruitment materials. A single CVE in a VPN concentrator carries more blast radius than almost any other class of vulnerability precisely because the product's job is to be the front door.

How is a VPN different from Zero Trust Network Access?

A VPN grants broad network-level access to everything behind the gateway once you authenticate, while Zero Trust Network Access (ZTNA) grants narrow, per-application access and re-verifies identity and device posture continuously rather than once at login. Traditional remote-access VPNs put you "on the network" — from there, lateral movement to any reachable host is often just a matter of the attacker's next step, which is why the Colonial Pipeline ransomware attack in May 2021 started with a single compromised VPN credential with no MFA and escalated into a shutdown of fuel supply across the U.S. East Coast. ZTNA architectures, popularized by vendors like Zscaler and Cloudflare Access starting around 2019, instead broker access to individual applications through an identity-aware proxy, so a stolen credential or session token exposes one resource, not the whole subnet. Gartner projected in 2023 that 60% of enterprises would phase out remote-access VPNs in favor of ZTNA by 2025, largely driven by exactly this blast-radius difference. VPNs aren't disappearing — site-to-site use cases remain standard — but the "VPN as a security boundary for people" model is being replaced.

How Safeguard Helps

Safeguard focuses on the software supply chain risk that sits behind the VPN, not the tunnel itself: once code and dependencies are inside your perimeter, Safeguard's reachability analysis determines whether a vulnerable VPN client library, SSH library, or TLS stack bundled in your applications is actually invoked in a code path an attacker could reach, cutting through the noise of CVEs that look critical on paper but are unreachable in practice. Griffin AI, Safeguard's investigation agent, correlates newly disclosed CVEs like the Ivanti and Fortinet flaws above against your live SBOM inventory within minutes of public disclosure, flagging exposed components before they reach a KEV listing. Safeguard ingests SBOMs from CI/CD pipelines or generates them directly from source and container images, giving security teams a continuously updated map of every dependency across every service. When a fix is available, Safeguard opens an auto-fix pull request with the patched version and a reachability-backed justification, so remediation ships as fast as the vulnerability is confirmed exploitable — turning the same speed advantage attackers get from zero-days into a defensive one.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.