Firewalls, in their most basic form, protect systems and network by limiting access to (and from) source and destination addresses and ports. By doing this, they limit the external attack surface, so it is much easier to protect systems and networks. Think of this as a castle with only a front and back gate, versus an open-air tent.
Modern firewalls are much more sophisticated and can verify that protocols are not being abused, block malicious websites, restrict access to trusted sources, and identify and block traffic. Think of this as adding armed guards with biometric scanners and traps to the castle gates. (Read also: How to Build Network Architecture That Facilitates Better IT.)
VPNs (virtual private networks) on the other hand, are virtual networks set up to protect traffic on unprotected networks. The internet, by design, is an unprotected network. And this lack of protection is a driver behind much of the security innovation we’ve seen in the last fifty years. However, unprotected traffic can be collected and analyzed anywhere along its route and used in ways one may not expect. To mitigate this risk, companies often require employees to connect to their networks using a VPN to prevent attacks on their assets and intellectual property. Think of this as a King wearing armor and surrounded by his knights as he travels to his castle.
While organizations have been the primary VPN users since the 1990s, their usage has begun to wane due to the advent of remote work caused by COVID-19, reducing the need for corporate offices and networks. However, there has been an explosion in personal VPN use in recent years driven by privacy concerns, unsecured open Wi-Fi access, platform geo-restrictions, targeted advertising, and government censorship. VPN services mitigate these concerns by providing internet access for only the protected network at a trusted destination. (Read also: Considering a VPN? Make the Right Choice for Your Needs.)
When should you not use a VPN?
A VPN can be used to protect legal activities but can also be used to hide illegal or questionable activities. For example, bypassing geo-location restrictions, like those used by Netflix and other streaming services to restrict access to protected content, is illegal in many countries. They can also hide malicious activities like hacking attempts, including identity theft, ransomware, denial of service attacks, and more pressing concerns like cyber warfare.
Do I need a firewall if I have a VPN?
In short, VPNs and firewalls perform two distinct functions. VPNs protect data and identity as it transits unprotected networks, like the internet, and firewalls protect networks and systems from attack. The answer to the question, ‘Which one should I use?’ is both.
If necessary to start one with rather than the other, choose the firewall first. If networks and systems are compromised, it won’t make a difference if data identity is protected in transit. Build the castle to protect those inside, but don’t forget to put on armor when visiting friends.