To keep us connected, our smartphones constantly switch between networks. They jump from cellular networks to public Wi-Fi networks in cafes, to corporate or university Wi-Fi networks at work, and to our own Wi-Fi networks at home. But we rarely have any input into the security and privacy settings of the networks to which we connect. In many cases, it would be tough to even figure out what those settings are.
A team at Northeastern University is developing personal virtual networks to give everyone more control over their online activities and how their information is shared. Those networks would allow a person’s devices to connect to cellular and Wi-Fi networks—but only on their terms.
The personal virtual network (PVN) evolved from the idea that users should be able to specify their own security and privacy controls.
“We're roaming around, we're constantly connecting to other networks or to cell network providers, and they don't let us configure the network in ways that we want,” says David Choffnes, an associate professor of computer science at Northeastern University. “Or you go to an airport Wi-Fi or a cafe Wi-Fi and who knows what they're doing with your network traffic.”
There are ways to protect your privacy in these situations, but they often require consumers to make changes to the device’s software. Choffnes studies Internet services built on top of existing networks. Such services might, for example, check if the network provider is throttling Internet traffic or if an app is sharing a user’s data without permission.
Now, Choffnes wants to make a tool that operates inside the network itself, and allows users to define parameters such as validating Transport Layer Security (TLS) certificates, running a malware scanner, and blocking third-party trackers. In 2018, the National Science Foundation awarded Choffnes a five-year grant to design the new architecture to support PVNs.
A mobile device with a PVN would ask the network provider to create a tunnel from the device to the provider’s servers—and all online activity would occur within that virtual environment. The network operator would use a configuration file stored on the mobile device to create the virtual environment to the user’s specifications on top of the existing network.
When the user moves out of range of that network and connects to another one, the device would set up a new virtual environment on top of the new network, using the same settings. “It’s a virtual network that is yours. It is attached to you. You actually can bring it along with your mobile device,” Choffnes says.
PVNs rely on software-defined-networking (SDN) to create networks on-demand, isolate workloads, and handle load distribution. With software-defined networking, operators define rules to evaluate the type of traffic flowing through the network and to perform specific actions to optimize how that traffic is being routed.
Software-defined networking isn’t a perfect fit for PVNs yet, though, as the network (and underlying hardware) has to be able to allocate resources to individual networks such that the demands of maintaining one PVN doesn’t impact others on the network.
PVNs are “in line with the SDN philosophy, but it pushes the boundary of what traditional SDN is,” says PJ Kirner, CTO and co-founder of cloud security company Illumio.
For example, software-defined networking lets operators set up a corporate network with a set of configuration rules that apply to all users. PVNs, on the other hand, sets up a different network for each user, each with their own settings. A single ISP can have millions of simultaneous users—so that’s a lot of potential networks, each with different requirements. SDN isn’t currently designed to handle that kind of scenario.
“Scale problems are always hard problems to solve,” says Kirner. “Sometimes that requires architecting and rethinking things.”
Choffnes and Shuwen Jethro Sun, a PhD student, have spent the past year and a half researching new tools and methods to scale SDN without creating any bandwidth or resource bottlenecks. PVNs can potentially handle tasks such as validating Transport Layer Security certificates, performing packet inspections, and caching website content. But it’s not possible to know beforehand just how much bandwidth any PVN will need, as it depends on what the user wants to do.
“We need to develop new models of PVN workloads and better understand how to dynamically adapt to their changing demands on the network,” Choffnes says. “We need to develop systems that manage this complexity, ensuring that PVNs are deployed correctly and do not harm the host network.”
It’s early days for the personal virtual network but Choffnes says the goal is to get the project to a point where he can approach ISPs such as Comcast about testing on their networks during the next academic year. Customer pilots are still a long way off, as initial testing would be on non-production traffic, in a separate environment.
More funding could potentially speed the time to deployment, originally estimated at five years from the time the NSF grant was awarded in 2018. “We’re in a place where having one or even two more people working on this could take that timeline of five years and bring it down to the three to four [years] range,” Choffnes says.
Either way, PVNs won’t have to be widely adopted by network operators to prove useful. Even if only some providers offer them, users will benefit when they’re on those networks and their devices will still function when they switch away. But deploying PVNs on any network will take time. “It really is going to be an incremental process,” says Choffnes.