[NA]VPN security how it works[NA]

I am on board with connecting the laptop to the server back home, via the VPN in order to improve security (well of the laptop).
So this brings up another question; why don't I just leave it on everywhere I use the laptop? Can anyone say those places are zero risk? If not, then perhaps I should.
And if the answer turns out to be yes, it might as well always be on....can a VPN be configured to automatically turn on anytime I use the laptop. Ie behind the scenes where the user does not have to start it up each time? That would be useful.
 
I don’t know the implimentation plan or enforcement, but I know some places are moving towards any time a corporate laptop is on a network other than the corporate office, it is on VPN. Probably not automated, as users don’t always need network access, and the VPN requires active participation in the two factor authorization. But at least if they aren’t securely connected through the office network, they aren’t connected to any unknown local network either.
 
I am on board with connecting the laptop to the server back home, via the VPN in order to improve security (well of the laptop).
So this brings up another question; why don't I just leave it on everywhere I use the laptop? Can anyone say those places are zero risk? If not, then perhaps I should.
And if the answer turns out to be yes, it might as well always be on....can a VPN be configured to automatically turn on anytime I use the laptop. Ie behind the scenes where the user does not have to start it up each time? That would be useful.

Short answer: yes. Long answer: depends on VPN.

Most commercial 3rd party VPN providers come with software that can auto connect and prevent any internet traffic unless you are connected.

Most enterprise VPNs will not operate that way. Or at least I haven’t seen that. And you pretty much depend on their configuration and software
 
Don’t forget that connecting to your VPN endpoint back at the clinic is not the same thing as connecting to the server (unless the VPN is implemented within the serve4 itself, which I doubt).
 
Don’t forget that connecting to your VPN endpoint back at the clinic is not the same thing as connecting to the server (unless the VPN is implemented within the serve4 itself, which I doubt).

Many are, Spike. Because “Windows Server will do it all for you!” Which is horrid network security design... but waaaaay more common than you might think.

So your authentication for one is authentication for the other, even if you didn’t click on anything to actually OPEN the connection to the file server, or authenticate to it telling it you wanted to use it...

So anything in the background in your laptop has free reign to copy whatever it likes to the company file servers... which always works out ... grrrrrreat. LOL.

Sadly even in setups that use separate gear for VPN and say, file services, the advent of “single sign on” for “convenience” has essentially re-created the same problem on much more expensive setups. Ha.

It’s the old... If you’re not using a resource you shouldn’t be logged into that resource problem. But SSO logs you into everything! Yay. LOL.
 
I've got no love for Dell. In fact, just got rid of my last Sonicwall product (pre-Dell) a few weeks ago. Good riddance.

Right and wrong are a matter of opinion. There are security researchers that would advise to break ALL SSL connections, even banking, because nothing is trusted these days and a bank site can be compromised (friend of mine says some of the banking systems are really badly secured).

Advise employees that everything can/will be monitored and go from there. Some big employers do that already - when I worked for big defense contractor, all SSL was broken & checked. Both security and data leak prevention. Employees were advised. And sometimes called on the carpet. You want privacy from employer? Use your own device. If it's their equipment & network & bandwidth, they set the rules. Heck, there are some big firms around here - including Big Law - that outright blocks a lot of that stuff.

Small businesses do it for different reasons, but the same analysis applies. Their stuff, their rules. Besides, 99.99+ percent of small employers wouldn't know how to sniff the banking information anyway, much less want to do it.

So I'm not really concerned (much) about a small company that uses a Sonicwall/FortiNet/other box with the UTM security subscription that brakes SSL, scans it for threats, and reassembles. As long as the box is set up properly to start with so it doesn't leak the broken code (or the admin login info) back to the Internet, and the employees are advised, then it's not all that troublesome.

But YMMV.

Yeah we do the default disclaimer that we own the network and you’re on it, so we reserve the right to monitor anything... I think everyone does that these days. And it was once common sense anyway. Want privacy, buy your own machines and bandwidth...

But we, like many, don’t have time to watch it 24/7. There’s (**** poor, but better than nothing) software for that these days. And the occasional manual log audit. And flat out locking everyone out of stuff they simply don’t ever need to be in. That helps. LOL.

It’s such a silly game anyway. The vast majority of real big money takedowns on big networks have been through social engineering. One fun auditor who speaks regularly at DEFCON recounts the fun he had walking into multiple bank branches and just acting like he knew what he was doing and straight to the server rooms where he completely owned a multinational bank’s systems a few years ago.

People would help him out even. “Oh I seem to have locked myself out and if I don’t fix that router by five my boss will fire me!” LOL.

Plug in network sniffer or malicious USB stick and walk back to the car...

It would be a fun job really. He’s there at the behest of the top IT managers to see if their “security” works. He’s beaten almost all companies who’ve hired him without trying very hard and without any previous knowledge of their systems or setups.
 
Great discussion. My husband has the exact situation OP describes with the company VPN and his company laptop. However we want to get our own VPN and put all our personal devices on it, and I don’t know much about the choices.

I had a VPN years ago and got rid of it because I kept running into the problem of websites telling me “we can see you are on a VPN and hiding your real IP so you can’t play”. I figured that what I need is a VPN that hides me but also hides the fact that it is a VPN from the other end. Do the current ones today do that?

Also is the much advertised Norton Secure VPN a good one or do you guys recommend a better one?
 
Here's the simple answer:

If you are connected via the VPN and bad things happen, it is not your fault.

If you are not connected via the VPN and bad things happen, it is your fault.

Don't be that guy...
 
Great discussion. My husband has the exact situation OP describes with the company VPN and his company laptop. However we want to get our own VPN and put all our personal devices on it, and I don’t know much about the choices.

I had a VPN years ago and got rid of it because I kept running into the problem of websites telling me “we can see you are on a VPN and hiding your real IP so you can’t play”. I figured that what I need is a VPN that hides me but also hides the fact that it is a VPN from the other end. Do the current ones today do that?

Also is the much advertised Norton Secure VPN a good one or do you guys recommend a better one?
If you're talking running your own VPN at home, several companies offer them. A SOHO unit will run under $500 including security subscription and software for laptops. Get one that uses SSLVPN or IPSEC - many will do either.

If you want an outside service, the folks that run ProtonMail now have a VPN service. ProtonVPN. I'd trust them long before I trusted Symantec. There was a very damning review of Norton recently - though the reviewer recommended NordVPN, meaning Norton must be really, really bad.
 
I am not sure what you mean by the point being moot, as moot means it is debatable.

I believe he means the second usage of moot.

Of little or no practical value, meaning, or relevance; purely academic.

e.g. “moot court” is a totally academic exercise in debate with no real-world consequences.

The poster was being a bit snarky in saying that if you have already made up your mind that a coffee shop WiFi is safer than a VPN then any discussion is pointless and merely an academic exercise.
 
One thing to remember about commercial outside VPNs. They see all your traffic. They often log it. And many of them are Chinese owned.

I use one when I need it
 
I figured that what I need is a VPN that hides me but also hides the fact that it is a VPN from the other end. Do the current ones today do that?
I installed OpenVPN on my home router. When I'm out and about, my device looks to the outside world like I'm at home.
 
What is after VPN?
I want that now.
Before VPN's vulnerabilities are widely known and fully hacked.
 
FWIW, the company Private Internet Access (one of the commercial VPN providers) has just been bought by a company with a shady history. Reports indicate that that company has installers that put malware on computers (among other things). We don't know how they'll handle the PIA service going forward, but I don't think I'd be signing up with them at this point.
 
For those interested, Proton is having a once-a-year sale (up to 50% off for the ProtonMail and ProtonVPN bundle). Their email service provides for a fully-encrypted mail delivery. They also offer free, but limited, plans to either one.

I don't work for them, just a long-term user of their encrypted mail service.
 
After all that...
I battled with my credit card processor regarding PCI some type of testing they require every quarter to make sure no one can hack into our system and steal credit card data streams (we don't store card numbers)
The process to become compliant takes days with the processor and my IT guy. If you don't, they fine you $250/yr and I get the liability if there is a breech (seems pretty silly for a small company like mine).

During this process, they decided the VPN tunnel I've had for years and discussed here was a huge liability! So I had to ditch it in favor of an RDP whatever that is (not the acronym but the mechanics of it).
The RDP seems a bit faster and easier to connect.
However to protect the laptop while at an airport or hotel I have to RDP into my server and surf on the server desktop.
I'd be interested in your input on this development.
 
After all that...
I battled with my credit card processor regarding PCI some type of testing they require every quarter to make sure no one can hack into our system and steal credit card data streams (we don't store card numbers)
The process to become compliant takes days with the processor and my IT guy. If you don't, they fine you $250/yr and I get the liability if there is a breech (seems pretty silly for a small company like mine).

During this process, they decided the VPN tunnel I've had for years and discussed here was a huge liability! So I had to ditch it in favor of an RDP whatever that is (not the acronym but the mechanics of it).
The RDP seems a bit faster and easier to connect.
However to protect the laptop while at an airport or hotel I have to RDP into my server and surf on the server desktop.
I'd be interested in your input on this development.

RDP is “remote desktop protocol,“ and they can’t be saying they want you to connect via RDP without having a VPN to encrypt the data flow.

We have a hardware-based VPN in order to get access to the network, then run work on an RDP session, connecting through the VPN.
 
After all that...
I battled with my credit card processor regarding PCI some type of testing they require every quarter to make sure no one can hack into our system and steal credit card data streams (we don't store card numbers)
The process to become compliant takes days with the processor and my IT guy. If you don't, they fine you $250/yr and I get the liability if there is a breech (seems pretty silly for a small company like mine).

During this process, they decided the VPN tunnel I've had for years and discussed here was a huge liability! So I had to ditch it in favor of an RDP whatever that is (not the acronym but the mechanics of it).
The RDP seems a bit faster and easier to connect.
However to protect the laptop while at an airport or hotel I have to RDP into my server and surf on the server desktop.
I'd be interested in your input on this development.

Wow! So that’s how the CC companies try to ditch the risk when the law forced them to take it off the consumer. They try to pass it on to the merchant.

Does this mean all internet merchants need to use a VPN or a RDP? I recently had my CC number stolen and had to get a new one. Then a few weeks later I got a letter from an online seller telling me their system had been hacked which I liked; they came clean. By contrast years ago Penney’s had a breach and didn’t tell us for three years.

Not that it matters, your number can be taken just about anywhere but it’s nice to know.
 
Is this your personal laptop, or a corporate laptop?

Is it ever plugged in on the office network?

The idea of using a RDP style connection makes some sense if it is the only way a laptop is allowed to connect to the corporate network. The various network based attacks from an infected laptop don’t work if there is no access to the ports and services they would attack. Of course this usually presumes a non corporate laptop that is never connected to the corporate network, and is up to the user to protect in general, and allowed to surf on its own. It is fairly difficult to exploit a network or server when your only connection is a screen session that a user is watching.
 
Does this mean all internet merchants need to use a VPN or a RDP?

I got the VPN tunnel so that I could work remotely on my laptop.
I can be at home or in...Canada...etc and access the server desktop, from there work on files.
Not so sure everyone needs the VPN etc if they don't work remotely. My understanding is it just provides remote access.
 
Is this your personal laptop, or a corporate laptop?

Its biz/personal. Corporate? See my mention of being a very small business, above.

Is it ever plugged in on the office network?

Rarely is it physically connected via ethernet cable to the network.
Once I am in the tunnel to the server....does that constitute what you refer to as'on the office network? Not sure. I'd have to guess so although I have never tried to access workstations. I can get the server to send a printjob to any of the networked printers.
Thanks
 
Another vote for the ProtonMail/ProtonVPN folks.. been using their email service for years, based in Switzerland, and a great, very fast, very secure interface. Might switch over to them for VPN and the upgraded email eventually, but right now for a VPN I use AirVPN, and it's been very good; they have a total privacy/non-logging policy, speeds are quite good compared to others I've tried, and plenty of servers. I use the VPN whenever I'm on a network that isn't the one in my home. I don't ever access my home network when I'm out of my house.. perhaps overly paranoid, but so far I haven't found a real need to do it anyway.
 
After all that...
I battled with my credit card processor regarding PCI some type of testing they require every quarter to make sure no one can hack into our system and steal credit card data streams (we don't store card numbers)
The process to become compliant takes days with the processor and my IT guy. If you don't, they fine you $250/yr and I get the liability if there is a breech (seems pretty silly for a small company like mine).

During this process, they decided the VPN tunnel I've had for years and discussed here was a huge liability! So I had to ditch it in favor of an RDP whatever that is (not the acronym but the mechanics of it).
The RDP seems a bit faster and easier to connect.
However to protect the laptop while at an airport or hotel I have to RDP into my server and surf on the server desktop.
I'd be interested in your input on this development.

RDP is “remote desktop protocol,“ and they can’t be saying they want you to connect via RDP without having a VPN to encrypt the data flow.

We have a hardware-based VPN in order to get access to the network, then run work on an RDP session, connecting through the VPN.

The banks have simply figured out a way to make “security” a revenue stream. The “security” companies they hire to audit merchants, love them.

What they’re saying, is that they trust your office machine more than they trust your laptop that wanders networks.

As far as the RDP solution goes, it’s probably using the built in Microsoft encryption PLUS RDP. The RDP part is just Remote Desktop control of the office machine. It’s really the built in encryption of the RDP service that’s providing essentially the same security as a VPN for data in transit.

However, a full VPN opens up your entire office network to whatever nasties the laptop got when done wrong (no network isolation / limitations on what the laptop can access) and the RDP (if configured correctly) doesn’t.

Of course RDP also has file sharing and other things built in that have to be disabled for this to all apply.

PCI is a joke. But it’s the game we all have to play to process credit cards. Banks themselves don’t even implement it. They just require it of others. The internal practices of most banks would curl your toes. But they get to do as they please because they’re the ones eating the loss, ostensibly.

The super short version of the above is:

“Your laptop now connects only to a Remote Desktop session securely instead of connecting to your entire office network. We like that more.”

We did this differently. The accounting dept is completely isolated from the entire rest of the company. They bought software that processes their card transactions on a separate server from their main accounting server via secured tunnel between the two. Being on their network doesn’t give them any access at all to their server other than through the client software. They have no access to the database or anything else on that server. If they ask that server to process a payment it contacts the other server to do it. That second server lives at AWS and is completely separated from the other AWS resources also.

This meant they can have VPN access from whatever they want. They’re three completely blocked layers away from the card processor. Their VPN auth knows they work in accounting and still limits them to their little fully quarantined network. Even their file sharing and printers and WiFi VLAN are theirs.

I can think of ten ways to hack it. But it makes their PCI merchant auditor happy.

We have other things in place that add more security that their auditor doesn’t even care about. Even the admins can’t join their VLAN without all the senior admins knowing about it.
 
I give you permission to hack into mine. I'd rather you didn't scramble my data while you are in; but it is an interesting experiment. Go for it.
 
I give you permission to hack into mine. I'd rather you didn't scramble my data while you are in; but it is an interesting experiment. Go for it.

Ha. I don’t do Red Team stuff often, so I’m not very good at it.

The people who are, are expensive and require written contracts and permission with ground rules fully established before doing it.

Plus here’s this...

 
Back
Top