[NA]VPN security how it works[NA]

Discussion in 'Technical Corner' started by Let'sgoflying!, Nov 14, 2019.

  1. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,421
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    So I have a laptop I use to access the work server over the internet.
    It does so with a 'VPN tunnel' (w'er t.h. that is)

    It works fine, that's not my question.

    When I am traveling, my IT guy says if you want to use that laptop to surf (find restaurants or hotels or sites to see is usually what it is), it is safer to connect the laptop VPN to the server.

    I am thinking, why would I want to have the laptop directly connected to the server when I am a hotel or airport???
    That sounds like it is asking for trouble.
    If I don't connect to the server, a bad guy is going to have a harder time to access the server!
    I say leave it disconnected and surf.

    There is something I am missing here.

    Laptop Dell Win10Pro
    Server Win 2012R8(?)
    Bitdefender on all devices
     
  2. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,697
    Display Name:

    Display name:
    asicer
    Virtual Private Networking encryption is considered virtually strong enough that when it's on, your laptop is virtually behind the company firewall. If you feel that you are safer on the coffee shop WiFi than behind the company firewall, then I suppose the point is moot.
     
  3. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,421
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    So despite the server now being connected to the airport wifi with dozens of other unknown, likely-nefarious characters, the server has more protection from harm...than if I left it uninvol ed, at home cranking away privately.

    I am not sure what you mean by the point being moot, as moot means it is debatable.
     
  4. Shuswap BC

    Shuswap BC Pre-takeoff checklist

    Joined:
    Oct 27, 2019
    Messages:
    412
    Location:
    Mabel lake BC
    Display Name:

    Display name:
    Shuswap BC
    If worried about security issues while out, you may also turn your cellphone into a hot spot, and use the data plan from that to your laptop. Somewhat more secure than public wifi, just at the cost of data, and others in close proximity may find your hotspot as well and piggyback off of it.
     
    Let'sgoflying! likes this.
  5. jsstevens

    jsstevens Final Approach PoA Supporter

    Joined:
    May 18, 2007
    Messages:
    5,150
    Display Name:

    Display name:
    jsstevens
    Your laptop is safer connected via VPN. The server is fine either way.
     
    Let'sgoflying! likes this.
  6. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    51,555
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    By connecting to the WiFi you’re encrypting once. And once on that WiFi depending on how it’s configured, you’re also visible to everyone else on it. It’s like plugging into the same hub so to speak. The proper setup is to not allow clients to see each other but that’s often missed by public WiFi.

    In addition connecting to OPEN WiFi that has NO encryption is insanely bad. This means a snoop doesn’t even have to join the WiFi to read all of your data. Just pick it off with a cheap radio dongle.

    There’s even ways for a nefarious person to hijack your session away from you (say after you logged into some non-SSL site) or get in between you and whatever you’re connected to with Man-in-the-Middle or MitM attacks.

    Most of the above is trivial. The code to do it is already written and a ten year old can download and play with it. The bad guys are far more advanced.

    Meanwhile...

    If your office/server VPN is set up correctly to encrypt ALL traffic and send it to the office and then out to the Internet from there, you avoid ALL of the above. A hijacker can’t (easily) steal an encrypted session to your server nor MitM it *if* it’s set up correctly and the VPN protocol doesn’t have any security flaws that need patching.

    If instead your VPN is set up “split tunnel” where traffic for the office goes over the VPN but regular internet traffic goes out normally, then you’re still vulnerable to a number of attacks including some listed above. But it’s “more convenient” if your machine can’t get to the office.

    Your IT guy is basically making life simple. Instead of listening off the hundred ways you can be screwed on public WiFi, he’s saying “just get on the VPN” which kills 99% of it by making you either impossible to attack, or a lot less likely target than the idiot next to you who connected to an open WiFi called “Airport WiFI” that is actually an attacker with his wireless card in AP mode sitting three feet away from you in the airport.

    Windows actually has hooks that can be set to require a VPN be active prior to even logging in, and some VPN client software (including the built in IPSEC client) can be forced to do it. Some companies have to operate that way to meet their security audits. Macs don’t do this well, without third party software. If even then really.

    Some companies won’t allow staff to use their own laptops for travel anymore. They take a loaner that has VPN and remote access software only and no data leaves the building. The laptop is wiped and reloaded after the trip. Especially true fir international travel where US Customs is essentially exempt from search and seizure laws for even Cirizens. Go ahead, seize or copy the whole laptop. There’s nothing on it.

    All depends on how valuable your data is.

    But VPN on someone else’s WiFi that is not split-tunnel is mandatory for many. And if there’s no route to your VPN server then you’re dead in the water but your data is safe.

    The contingency plan that works best is a cellular hotspot. Then only your carrier, the NSA, and whoever has hacked the carrier has access to your data stream. And again the VPN helps with all of those also.

    DEFCON has had the huge “Wall of Sheep” displaying any attendees or innocent bystanders silly enough to connect to open WiFi at a security conference, going on almost twenty years now... :) Don’t do it.

    By the way these fly by night “Cloud VPN providers” are crap. Recently one used massive marketing money to plaster nearly every tech YouTube channel with their advertising and got tech YouTubers to day their product was just lovely by giving them cash.

    NordVPN. Guess who should have spent more on auditing their data centers instead of Marketing? Yeah. They were completely owned by another tenant in one of their shared data center facilities. Which says more about NordVPN than their data center provider but does say something about the provider as well as them.

    Remember kids: “The cloud is just someone else’s computer...”

    Stick to a brand name that has something real to lose in the overall security sector if you have to use someone else’s VPN server. Better yet, use your own.

    I would add that I don’t recommend using any built in VPN server software in any Microsoft server platform nor exposing those to the web because of their horrid track record with L2TP vulnerabilities being an indication that OS makers make lousy security software, but configured right they’re “meh, okay”, as long as that is NOT a server doing anything else but remote access.

    Even then, real security brands and products from networking and security companies are going to generally be better.

    Or just use something better like OpenVPN if you have no $ for basic security.

    Nothing is perfect. But there’s no point in joining the crowd on the Wall of Sheep! ;) Let someone else take one for the team. Hahaha.

    Oh ... and since the advent of letsencrypt.org there has been NO reason for every public website to do https by default. None.

    If you run a public website go install a letsencrypt SSL certificate, learn how to auto-Renew it and redirect all http requests to https. Today. :)

    You can really mix up your threat vectors. Run a VPN server of your own inside of someone else‘s computer. (Cloud... LOL...)

    And of course it’s been proven time and again most companies are far more vulnerable to someone dropping a USB stick that says “Let me know what you think” signed by the boss, on any desk in the company. LOL. Instantly owned. Entire network.
     
  7. Capt. Geoffrey Thorpe

    Capt. Geoffrey Thorpe Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    11,793
    Location:
    DXO124009
    Display Name:

    Display name:
    Light and Sporty Guy
  8. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,421
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    One thing I think I need to have clarified;
    When I am surfing, should I be doing it on my laptop, ie using the browser I have as I usually do?
    Or, the other way to surf would be to log onto the server desktop and use the browser there?
    Which is the method meant to be used, which is safer?
     
  9. RussR

    RussR Cleared for Takeoff

    Joined:
    Jan 12, 2011
    Messages:
    1,399
    Location:
    Oklahoma City, OK
    Display Name:

    Display name:
    Russ
    I am not an IT guy.

    But it seems like your question is asking the wrong thing - you're wondering if connecting and surfing via the VPN is more risky for the server. But people hacking into the server isn't the normal concern when you're in the hotel. Instead, it's that YOUR LAPTOP itself is easier for them to access when you're NOT on the VPN.

    So, connecting to the VPN protects your laptop from unauthorized access. The server is already well-protected (hopefully).

    IT guys will gladly correct me if I am wrong, but it seems to me like you were worried about the wrong part of the security issue.
     
    IK04, Half Fast and jsstevens like this.
  10. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    51,555
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    If you’re on the (properly configured) VPN, either is fine, assuming both have some sort of anti-virus/anti-malware on them for casual surfing.

    Even big websites have had their customers hit by garbage distributed by their advertising affiliate link networks. Bad guys injected nasty ads that had malicious code in them then let the big websites do their distribution for them...
     
  11. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    51,555
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Correct. And once the laptop is compromised it brings the nasty stuff back home. Either via the VPN or plugged in when back at the office.

    The VPN just connects you in a secure way back to the office network. It defends against silliness on whatever network you’re on.

    It doesn’t defend at all against browser attacks. Doesn’t matter if split tunnel or not either. Go to bad website via the local (WiFi) network [split tunnel] or network routed thru your office internet connection [all traffic thru VPN] if the browser is vulnerable, it’s vulnerable.

    Local antivirus and antimalware (hopefully) stops that.

    And if the office is big and clueful (and spent a lot of money on it) they MIGHT be blocking bad websites if you’re going out their internet connection. This can be done on the cheap by blocking DNS lookups for known bad websites or in expensive setups the browsers can be forced to proxy and even have fake ssl certificates loaded in them so the office essentially does a man in the middle “attack” and reads all traffic including SSL traffic.

    The SSL intercept stuff is usually only seen at very large and wealthy organizations because it needs to be “smart”. Most keep lists of things they should NOT be looking at, like employees accessing bank accounts, and these dynamically updated lists make sure NOT to do man in the middle on that sort of thing.

    Or... the company just has you sign that they can look at ANYTHING and you’re better off doing your banking on your cell phone on the non-company monitored network.

    Tons of ways to skin this cat. None perfect. All easily bypassed. And some more effective than others...

    All it takes is money, and a knowledge of what i you want to defend against. We don’t do much filtering of where people go and such, but policy would indicate that if you drag malware from a porn site into the network, you’re going to be talking to your boss about why you should keep your job. LOL.

    We know where people surf to. We don’t care much or have time to watch logs or reports on it too much. But the tools are there to see if you’re surfing porn. And the tools are there to know if you’re using a VPN to go to your HOME network to surf porn from your laptop at the office. Hahaha.

    It’s all a silly game to pretend the root problem isn’t the OS and browser. They’re both always full of Swiss cheese holes that bad guys find occasionally before the good guys do.

    We’ve had one ransomware virus get past the usual server side lines of defense and tried to infect and exploit one machine this year (the anti malware stopped it) and one malware infection by a user installing crap into their browser from the internet. That’s with multiple lines of defense.

    The garbage always gets in through something, eventually. Two a year isn’t too awful. Especially since the last line of defense, the anti virus and anti malware did their jobs.

    The ransomware was even smart enough to copy itself to all connected remote network file systems attached to the machine that got hit. All sorts of alarms went off then! Cleanup took maybe ten minutes with the right tools, files got quarantined, etc. That sneaky bastard ransome wear was a drieivafive of a common one, but it already knew to rename itself as it copied itself around. Nasty stuff.
     
  12. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    22,378
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    One doesn't need to be big to do either website blocking or SSL intercept. Website blocking is included in even low end UTM devices by the like of Sonicwall, FortiNet and others. Likewise SSL intercept capability. All one has to do is pay the annual subscription cost and turn the function on. (And install a certificate for SSL intercept). That's $200-400 for the box, and a couple hundred per year for the subscription. And you get VPN endpoint as part of the deal (SSL-VPN is easy setup, IPSEC tends to be harder).

    Heck, even antivirus programs like Eset do an SSL intercept when running on a local computer and auto-install the certificate (click and see who issued the certificate in the browser to see if it's an Eset certificate). Yes, it's a bit better in terms of corporate snooping than firewall MITM on the SSL connection, but it still opens a hole.

    So 'clueful', yes. 'Large' - not necessary.[/QUOTE]
     
  13. Hang 4

    Hang 4 Line Up and Wait

    Joined:
    Aug 18, 2017
    Messages:
    601
    Display Name:

    Display name:
    Hang 4
    Think of the VPN as protecting the connection between your laptop and the server. When you are browsing, the server is doing the protecting. The server should have very robust protection, far better than your laptop by itself.

    Now if you have a proclivity to browse more "mature" sites, then you are sharing your interests with your company :)
     
    Let'sgoflying! likes this.
  14. Ravioli

    Ravioli Final Approach

    Joined:
    Dec 1, 2014
    Messages:
    6,992
    Location:
    Fort Worth
    Display Name:

    Display name:
    Pasta Man
    I only VPN to get to the required internal network stuff.

    Most companies who have invested in VPNs also put put virus stuffs on all their boxes.

    For general surfing, don't use VPN. You want Pornhub dot com showing up in your VPN traffic?
     
  15. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,421
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    Ah but the reason I am concerned about the SERVER is that it has much, much more valuable stuff on it than the laptop.
    The LAPTOP is throwaway. If it got hacked and locked up or bricked, I would not care.
    However I REALLY did not want to open a pathway to the server that did not exist before....especially one from known risky places...like the hotel I am in this moment, on their wifi (with VPN connected).
    I hope you can see my reasoning.
    Thanks!
     
  16. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,697
    Display Name:

    Display name:
    asicer
    That's the whole point of a properly configured VPN. All network traffic in and out gets routed through the tunnel. When the VPN is on, your laptop is virtually in your office. It is virtually non-existent to any other device in the hotel or coffee shop.
     
  17. EdFred

    EdFred Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 25, 2005
    Messages:
    24,286
    Location:
    Michigan
    Display Name:

    Display name:
    Ed Frederick
    What about the connection to the VPN though? Airport wifi, etc...
     
  18. Justin M

    Justin M Pre-takeoff checklist

    Joined:
    Oct 23, 2016
    Messages:
    378
    Display Name:

    Display name:
    JM
    Many VPN solutions employ split tunneling. However, turning it (split tunneling or ST) off forces all browsing through the corporate HQ IT protection systems. When you browse, your connection is sent encrypted to work, where the firewall at work sends out the web browsing. The firewall blocks viruii, malware and other bad stuff. It also probably has botnet protection which blocks browsing to known nefarious command and control servers on the internet. It may do certificate checking to insure your encrypted connections with a website is properly signed and encrypted. IT may also use the VPN to confirm your local end-point protection (e.g. antivirus) is on and working.

    Edit: Ack Phooey. I thought this was new content, but someone beat me to it.
     
    denverpilot likes this.
  19. SCCutler

    SCCutler Administrator Management Council Member PoA Supporter

    Joined:
    Feb 27, 2005
    Messages:
    16,809
    Location:
    Dallas
    Display Name:

    Display name:
    Spike Cutler
    You aren't connecting through the VPN to do your internetting through the server (or need not be); you're using the VPN to route your Internet traffic through your Internet connection at the VPN. The main purpose is to ensure that all of your traffic through the public WiFi is encrypted and, thus, not subject to easy interception and malicious exploits. Using the VPN should not create greater exposure; only lesser.
     
    Let'sgoflying! likes this.
  20. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    51,555
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    [/QUOTE]

    One could argue that a number of those low dollar implementations are done horribly. Like the SonicWalls. They’ll happily show the employer the employee bank account. That’s done - wrong.

    Doing it right requires way more work than Dell will ever put in. They’re not a security company and don’t really have a reason to do security right. They’ll just chuck garbage out cheaply to help companies “check the security auditor boxes”.

    And I’m not completely against SonicWalls. They do some stuff as well as say, Chekpoint or Palo Alto or other purer play security firms, but not SSL intercept. It’s garbage.
     
  21. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,697
    Display Name:

    Display name:
    asicer
    The VPN adds enough encryption to be considered secure.
     
  22. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    51,555
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    You have a valid point if the laptop isn’t properly protected ON the laptop AND the network at the office is not WATCHING for bad behavior from the laptop.

    You can NOT use a single technology to properly protect inherently insecure operating systems. It is simply not possible.

    Common sense would indicate that people would demand secure operating systems as the best line of defense, but they don’t. People are cheap and got used to cheap OSes.

    That and truly secure OSes are an utter pain to work with and require massive amounts of planning. They do exist. Every single file needing explicit permission to be accessed by specific people on specific machines, etc. And nothing whatsoever executes on a processor unless it is explicitly allowed and not by file name but by file hash... if the file changes even a single bit, it will not run.

    Truly secure computing IS possible within the limits of the control processes put around the people using said software and their inevitable mistakes. But it is done by a small handful of organizations. Many deal with defense or similar.

    They don’t run Windows or Mac OSX. And the stuff they do run has had a line by line audit of the code. LOL.

    Meanwhile back in the real world where OSes are essentially free... we all pretty much get what we paid for.

    With reasonable defense measures (multiple) and more importantly policies with teeth behind them where someone will lose a job for various risky things on company systems, you’re a smaller target than the person who paid zero attention to it and runs their business letting GeekSquad clean their machines of crud and selling them the latest and greatest McAfee every time they come in. LOL.

    But to your point... no, never connect a laptop with zero protection from malicious software to your company network, ever. VPN technology can’t fix stupid. LOL. It’s Windows for gosh sakes. It’s been hacked how many times? Same with Mac even though Mac fans won’t admit it.

    The OS is better than Windows perhaps but the crap attacks BROWSERS these days. And there isn’t a secure browser configuration out of the box and rarely do companies ever lock down browsers that tightly. It makes them fairly unusable.

    Generally speaking though, accessing files through a VPN is innocuous. At worst your machine will copy a naughty file on to the server. The file has to be somehow EXECUTED on the server to harm it.

    What your VPN connected laptop MIGHT do that can be more effective is attack a server’s OS directly say, thorough a vulnerable service that any laptops IN the office could also do. That’s what protection software ON the server plus backups is designed to contain and perhaps recover from. Or even network aware scanning that sees naughty things happening to the server and alerts or even cuts off the laptop’s access to the server.

    All depends on the design and having multiple defensive tools. Even gets down to whether or not services are run on al servers and redundancy of servers themselves. Smaller shops with a single server doing everything are taking a higher risk that one of those services is vulnerable which could get the box and take down all of the services.

    Other strategies might be things like using open protocols and two different OSes to service them. It’s pretty easy to have a Windows and a Linux DNS server for example. Not as convenient, but almost impossibly low risk that both have the same vulnerability.

    And of course patching. Patching patching patching. Most vendors now schedule their security releases so they’re a known thing that needs to be done the same time every month, week, day... and then you get to build a strategy for roll back when the OS maker or application vendor sends a bad patch that blows up critical things.

    Security design CAN be fairly simple, but not “we installed a VPN she that’s all you need” simple. Because a VPN isn’t the right tool to defend the OS. It defends the network connection to somewhere. By doing so it can lower specific types of attack methods but by no means is it comprehensive. Just part of a larger plan.
     
  23. wilkersk

    wilkersk Pattern Altitude

    Joined:
    May 21, 2015
    Messages:
    1,568
    Location:
    Puget Sound
    Display Name:

    Display name:
    KennyW
  24. Heftiger

    Heftiger Pre-takeoff checklist

    Joined:
    Nov 13, 2013
    Messages:
    306
    Display Name:

    Display name:
    Heftiger
    Little point of clarification here.
    It looks like he’s establishing the VPN and then RDP to the “server”.

    Now just because your desktop says “Server 2016” doesn’t mean you’re actually on a server. If they’re using Windows Virtual Desktop it can be a virtual machine running a server OS but not actually running any services. And if this is the case the virtual desktop might even be blow away when you disconnect. In this case it’s safest to browse on the virtual desktop because even if it gets infected it’ll be deleted and a whole new virtual desktop will be created next time you connect.
     
  25. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,697
    Display Name:

    Display name:
    asicer
    Although it hasn't always been this way, the major OS (Windows, Mac, Linux) and browsers of today are relatively secure compared to the humans using them IMHO.
     
    Matthew likes this.
  26. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    51,555
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Chrome had a complete remote root exploit this week. Or last. I forget. We had to push the patch mid-day to everyone.

    It’ll never end. It just looks “secure” for a little while.

    Because there’s no financial incentive to “finishing” software, especially software given away for “free”, although Chrome isn’t really free. They’re tracking everything to get paid through it. The Commercial version has better (but not good) terms of service and privacy over the consumer version.

    Same thing with GSuite. You’re a second class citizen when it comes to products and features on a GSuite account. But it’s because they promise not to do as much data mining of commercial users data.

    If you believe them. I don’t.

    One YouTuber seller shirts (ironic that he’s on a Google platform) that says “Google does not care about you.” LOL. Multiple possible meanings which is exactly how Google’s lawyers always talk. :)
     
  27. EdFred

    EdFred Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 25, 2005
    Messages:
    24,286
    Location:
    Michigan
    Display Name:

    Display name:
    Ed Frederick
    I still have unsecured between phone/laptop/tablet and the VPN. That's like locking the front door, but not actually shutting it. So what provides the protection between the device and the connection before it hits the VPN?
     
  28. Justin M

    Justin M Pre-takeoff checklist

    Joined:
    Oct 23, 2016
    Messages:
    378
    Display Name:

    Display name:
    JM
    The vpn protects data after it leaves the computer. We call this protection for data in transit. Since the VPN is secured software on your laptop, there is not much that can attack the computer before the data is encrypted for the VPN.
     
  29. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,697
    Display Name:

    Display name:
    asicer
    Yeah but we're comparing that vulnerability to a human user, remember? How successful were you last time you tried to patch a human user? ;)
     
  30. -KLB-

    -KLB- Pre-takeoff checklist

    Joined:
    Sep 25, 2018
    Messages:
    303
    Display Name:

    Display name:
    -KLB-
    The browser and the user clicking the buttons are often the weakest point. A PC on the open internet can pick up malware that later attacks the server when VPN connected, or plugged in at the office. Or it can store sensitive data to be uploaded next time it is on the open internet. When connected through the VPN to browse the internet, there may be multiple layers of additional protections. Black holing IP addresses and DNS names known unsafe. Optionally blocking sites too new to have been reviewed by classification services, malware inspection, and other services that don’t exist on the laptop, or which could be bypassed if the malware had full control. So never browsing the internet without going through the corporate network can protect the corporate servers.
     
    Let'sgoflying! likes this.
  31. Jim_CAK

    Jim_CAK Line Up and Wait

    Joined:
    Jul 18, 2008
    Messages:
    521
    Location:
    Akron, Ohio
    Display Name:

    Display name:
    Jim_CAK
    Thanks to Nate @denverpilot and the others for sharing their expertise. My I.T. Understanding is 25 years out of date. I still wonder about the initial connect to the hotel wireless. I understand all your traffic is going through the VPN once logged on, but isn’t your machines IP address visible on the hotel network? I understand the protection the VPN provides when web browsing but isn’t the laptop vulnerable to some bad guy that is snooping the hotel wireless?
     
  32. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    22,378
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    I've got no love for Dell. In fact, just got rid of my last Sonicwall product (pre-Dell) a few weeks ago. Good riddance.

    Right and wrong are a matter of opinion. There are security researchers that would advise to break ALL SSL connections, even banking, because nothing is trusted these days and a bank site can be compromised (friend of mine says some of the banking systems are really badly secured).

    Advise employees that everything can/will be monitored and go from there. Some big employers do that already - when I worked for big defense contractor, all SSL was broken & checked. Both security and data leak prevention. Employees were advised. And sometimes called on the carpet. You want privacy from employer? Use your own device. If it's their equipment & network & bandwidth, they set the rules. Heck, there are some big firms around here - including Big Law - that outright blocks a lot of that stuff.

    Small businesses do it for different reasons, but the same analysis applies. Their stuff, their rules. Besides, 99.99+ percent of small employers wouldn't know how to sniff the banking information anyway, much less want to do it.

    So I'm not really concerned (much) about a small company that uses a Sonicwall/FortiNet/other box with the UTM security subscription that brakes SSL, scans it for threats, and reassembles. As long as the box is set up properly to start with so it doesn't leak the broken code (or the admin login info) back to the Internet, and the employees are advised, then it's not all that troublesome.

    But YMMV.
     
  33. MuseChaser

    MuseChaser Cleared for Takeoff

    Joined:
    Feb 23, 2019
    Messages:
    1,037
    Location:
    Central NYS
    Display Name:

    Display name:
    MuseChaser
    No. Well... "vulnerable" has degrees, and EVERYTHING is vulnerable to some degree, but the VPN starts at your computer. After you connect using a VPN on your machine (laptop, tablet, phone, whatever) to the hotel/coffeeshop/aiport/whatever network, go to ipleak.net and run a test. If setup properly, you should see only the IP address of whatever VPN service you're currently using. You won't see the actual IP address of your laptop.
     
  34. Jim_CAK

    Jim_CAK Line Up and Wait

    Joined:
    Jul 18, 2008
    Messages:
    521
    Location:
    Akron, Ohio
    Display Name:

    Display name:
    Jim_CAK
    Thanks Muse. I guess I’m being dense here. I get that someone coming through the internet can only see the VPN address. I’m not understanding how someone else on the hotel WiFi can’t see the actual IP address the hotels dhcp server handed me.
     
  35. MuseChaser

    MuseChaser Cleared for Takeoff

    Joined:
    Feb 23, 2019
    Messages:
    1,037
    Location:
    Central NYS
    Display Name:

    Display name:
    MuseChaser
    There's folks already on this thread with LOTS more technical knowledge than I have..I won't pretend to understand exactly HOW it works. Try it at home sometime. Connect your laptop to your home network, but use a vpn on your laptop. Then try connecting to anything else on your home network, like a wireless printer for instance. You can't... you can't see it, and none of the other devices on your network will see you..because your laptop no longer appears to be ON your home network... it's now on another private network, or.......drum roll...Virtual Private Network. The work around is to place your VPN on your router (if it supports that function) so that the vpn is between your router and the internet instead of between a specific device and your router. I did that for a while, but it slowed things down too much for my taste and really tasked my router.
    Your VPN makes it appear to the outside world that you are not on the network you're physically (wirelessly or wired) connected to.
     
    Jim_CAK likes this.
  36. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    22,378
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    Folks in the hotel will see the IP of your computer and its MAC address. The VPN builds a tunnel between your computer and a trusted endpoint. The software site between your computer operating system and the computers network adapter. Unless you operate in split mode (which is IMHO not the best way to operate), the only traffic the hotel folks can see is encrypted. Think of it as another layer in the network stack.

    Hotel DHCP and router will still see your adapter and handshake properly, but all the data will be encrypted.
     
    Jim_CAK and MuseChaser like this.
  37. MuseChaser

    MuseChaser Cleared for Takeoff

    Joined:
    Feb 23, 2019
    Messages:
    1,037
    Location:
    Central NYS
    Display Name:

    Display name:
    MuseChaser
    Thanks, @wsuffa . A much more precise and correct way of describing what is happening.
     
  38. Heftiger

    Heftiger Pre-takeoff checklist

    Joined:
    Nov 13, 2013
    Messages:
    306
    Display Name:

    Display name:
    Heftiger
    I configure the firewalls on my work laptops to only allow communications with our VPN public IP when not on the corporate LAN. So even on a public WiFi the laptop wont respond to any queries, even ping. It protects the laptop and forces the user to VPN if they want to access anything.
     
    Jim_CAK likes this.
  39. -KLB-

    -KLB- Pre-takeoff checklist

    Joined:
    Sep 25, 2018
    Messages:
    303
    Display Name:

    Display name:
    -KLB-
    As long as your VPN configuration has split tunnel turned off, once the tunnel is up, your computer should throw away any traffic to it that isn’t the tunnel, or in the tunnel. So you should be protected, as attack traffic to your local hotel IP would simply be thrown away. If you went direct, your computer could try to process any attack packets sent to it, only restricted by its locally configured protections.
     
    wsuffa likes this.
  40. Jim_CAK

    Jim_CAK Line Up and Wait

    Joined:
    Jul 18, 2008
    Messages:
    521
    Location:
    Akron, Ohio
    Display Name:

    Display name:
    Jim_CAK
    Thanks guys. That’s making more sense.