SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    What shows up on network firewalls when workstations use a VPN ?
Page 1 2 
Go
New
Find
Notify
Tools
Reply
  
What shows up on network firewalls when workstations use a VPN ? Login/Join 
Go Vols!
Picture of Oz_Shadow
posted
If an office has a nicer hardware Firewall like Cisco, Sophos, etc. What shows up on the Firewall monitoring software when a workstation uses a VPN to access a site like Sigforum?
 
Posts: 17944 | Location: SE Michigan | Registered: February 10, 2007Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
Usually just information such as date, time, originating and terminating IP numbers and type of connection. If it's TCP (persistent) connections: Perhaps length of connection time or separate connection/disconnection log entries.

If you mean content: Not likely. If for no other reason than that would require a massive amount of storage space.

For HTTPS and other SSL/TLS connections content would be a non-issue, as it's end-to-end encrypted.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26036 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Member
posted Hide Post
If you are using a VPN inside a work network,

the security guys should pay you a visit.

It would be like we can't see what you are doing but we can see you are doing it.
 
Posts: 4805 | Registered: February 15, 2004Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by sig2392:
It would be like we can't see what you are doing but we can see you are doing it.

When I was still doing the job I could examine, even capture, such traffic on-the-fly if I so desired--as long as it wasn't encrypted. Most network admins and security peeps have more important things to do with their time. I know I certainly did Smile

That being said: Accessing off-site services for amusement's sake while connected to the corporate VPN could be regarded as network abuse. IIRC, I had our firewall configured to prohibit such activity.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26036 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Go Vols!
Picture of Oz_Shadow
posted Hide Post
I was thinking more about a private, personal VPN on a small company network/firewall. Like using Nord on a browser to access your own payroll portal or Sigforum. Not much else.
 
Posts: 17944 | Location: SE Michigan | Registered: February 10, 2007Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by Oz_Shadow:
I was thinking more about a private, personal VPN on a small company network/firewall. Like using Nord on a browser to access your own payroll portal or Sigforum. Not much else.

Oh, you mean using an off-site VPN to access Internet stuff from inside the corporate network? E.g.:

Corp. LAN <-> firewall <-> Internet <-> VPN <-> Internet <-> <stuff>

Like that? Heh. I'd have shut that down in a New York heartbeat the instant I discovered it, booted your machine off the network, and reported you to both my and your management.

Oh, and to answer what I now believe I understand to be your question: All they'll see is encrypted connections to an off-site VPN, which is exactly what a VPN is meant to achieve. They'd have no way of determining what you were accessing or why. Which is why I'd terminate the activity forthwith--with prejudice.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26036 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
All the time
Picture of Gear.Up
posted Hide Post
quote:
Oh, and to answer what I now believe I understand to be your question: All they'll see is encrypted connections to an off-site VPN, which is exactly what a VPN is meant to achieve. They'd have no way of determining what you were accessing or why.


If they are even remotely competent, there will be a corporate certificate installed on anything that touches the network which would then allow them to decrypt any traffic traversing the network.
 
Posts: 2320 | Location: East TN | Registered: July 28, 2010Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by Gear.Up:
If they are even remotely competent, there will be a corporate certificate installed on anything that touches the network which would then allow them to decrypt any traffic traversing the network.

That isn't how it works.

When you connect to a VPN like Nord, the VPN server provides you a certificate you use with that server. That cert is unique to your client and that server. The key exchange dialogue between client and server sets up a temporally-unique encrypted connection such that, even if somebody else had a copy of your credentials, could not be decrypted on-the-fly like that.

The only way to achieve what you suggest is called a "man in the middle" (MITM) attack, where something between the client and the server spoofs the client into believing it's the server and the server into believing it's the client. It then decrypts and re-encrypts in both directions.

Providing certificate security is intact or some kind of public key infrastructure is used (e.g.: a certificate authority), that is regarded as impossible.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26036 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
All the time
Picture of Gear.Up
posted Hide Post
quote:
The only way to achieve what you suggest is called a "man in the middle" (MITM) attack


Which is exactly what is happening on a company network with their certificate installed.
 
Posts: 2320 | Location: East TN | Registered: July 28, 2010Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by Gear.Up:
quote:
The only way to achieve what you suggest is called a "man in the middle" (MITM) attack

Which is exactly what is happening on a company network with their certificate installed.

Last time: That's now how this stuff works. That's now how any of this stuff works.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26036 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Seeker of Clarity
Picture of r0gue
posted Hide Post
Newer security appliances can break down encrypted tunnels and inspect the content, then re-encrypt for the rest of the journey. The process sets up the company computers to trust the cert of the security appliance and then essentially, it does a man-in-the-middle attack. This is done to assure encrypted tunnels aren't bringing in malware. I would doubt that anyone is using this for web content filtering. Not even sure if it can, though probably. Mostly it's used to look for and inspect unknown executables and malware coming inbound. I know this occurs on our network for SSL and HTTPS. I assume it can be done for client VPNs, but perhaps not.

If the firewall doesn't crack the encrypted traffic and inspect, it won't have much visibility. Most traffic is encrypted nowadays.




 
Posts: 11479 | Registered: August 02, 2004Reply With QuoteReport This Post
Member
Picture of SPWAMike0317
posted Hide Post
Simple rule: Don't use your companies assets, including the network, for anything other than company business. Security is not a static thing, it evolves. As Security evolves new capabilities are installed in promiscuous mode, all traffic passes but is logged, stored and analyzed. Everything on your laptop looks normal. Until it doesn't. Best case is your VPN is blocked and you hear nothing. Worst case? Use your imagination.

I state this as a long time IT person who has had technical and managerial involvement with implementing security: Use your personal device on your home network for anything not company related.



Let me help you out. Which way did you come in?
 
Posts: 767 | Location: North of Pittsburgh, PA | Registered: January 29, 2013Reply With QuoteReport This Post
Thank you
Very little
Picture of HRK
posted Hide Post
Yep you should just turn off wi-fi and use your cell data on the phone to do personal business, best done while you are sitting in stall in the can during a major droppage so nobody wants to know who you are much less what you might be doing in the stall...

 
Posts: 24675 | Location: Gunshine State | Registered: November 07, 2008Reply With QuoteReport This Post
7.62mm Crusader
posted Hide Post
Some people in SigForum are so smart, they must have a sore head.. Big Grin. Smartest people I have ever read. One of these days, I'm just going to ask what is the meaning of life? Dont tell us now. We know you know.. Big Grin
 
Posts: 18025 | Location: The Bluegrass State! | Registered: December 23, 2008Reply With QuoteReport This Post
His Royal Hiney
Picture of Rey HRH
posted Hide Post
To the OP: if it’s any competent IT, VPNs will automatically be prevented. Ask me how I know. I tried using a web based vpn service to get around needing admin permission to be install software.

But most companies allow incidental web browsing. Heck, my last company had an expressed policy against streaming video and I still went on YouTube or I Heart Radio. I listened to it while I was working.

quote:
Originally posted by David Lee:
One of these days, I'm just going to ask what is the meaning of life.


Just read my tag line.



"It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946.
 
Posts: 20276 | Location: The Free State of Arizona - Ditat Deus | Registered: March 24, 2011Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by Rey HRH:
To the OP: if it’s any competent IT, VPNs will automatically be prevented.

It's difficult to automatically prevent VPNs. Just ask the Chinese Smile. Sure, one can block the most commonly-used ports and the known VPN services, but there's nothing to stop somebody from firing-up a VPN on an off port, even a port designated for a different service, on a new server.

quote:
Originally posted by Rey HRH:
But most companies allow incidental web browsing.

I don't know about "most," but many do. We did.

I'd occasionally have some manager express an interest in knowing what non-work-related things their employees were doing. I usually respectfully declined to provide such information--generally on the grounds that I had neither the time nor inclination to play network cop and that their employees' performance was a management issue, not a technical one.

Now it would happen, on occasion, that in the course of my looking into this or that, I'd notice activity that appeared to be... excessive or I knew would be trouble if it came to the attention of management. In such cases a quiet hint to the individual responsible took care of the problem.

quote:
Originally posted by Rey HRH:
Heck, my last company had an expressed policy against streaming video and I still went on YouTube or I Heart Radio. I listened to it while I was working.

We did not have such a policy, but we did have a policy against excessive use. When I discovered such use I simply terminated it, with prejudice. No warning, notice, or appeal.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26036 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Ignored facts
still exist
posted Hide Post
quote:
Originally posted by ensigmatic:

It's difficult to automatically prevent VPNs. Just ask the Chinese Smile. Sure, one can block the most commonly-used ports and the known VPN services, but there's nothing to stop somebody from firing-up a VPN on an off port, even a port designated for a different service, on a new server.



FWIW, I set up Open-VPN on my Asus router at home, so I can VPN into my home network from most anywhere using my phone or laptop. Works like a charm, and does 2 things:

1] Keeps people at Coffee Shops, Airports and Hotels from grabbing my traffic.
2] Gives me secure access to my home network including my security cams etc

well worth doing, and very simple. Worth it to get a new router to get this feature.

Using this from any network that allows you to use your own device, I don't see how anybody in-between could grab your traffic without a huge amount of decryption effort. It would be very difficult for them, which is why VPN is so popular in the first place.


.
 
Posts: 11213 | Location: 45 miles from the Pacific Ocean | Registered: February 28, 2003Reply With QuoteReport This Post
Nullus Anxietas
Picture of ensigmatic
posted Hide Post
quote:
Originally posted by radioman:
FWIW, I set up Open-VPN on my Asus router at home, ...

If your router supports it, you might want to look into WireGuard. It's allegedly faster, easier and more secure than OpenVPN.

If I go to the trouble of setting up a VPN, WireGuard is what I'll probably use.



"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
 
Posts: 26036 | Location: S.E. Michigan | Registered: January 06, 2008Reply With QuoteReport This Post
Ignored facts
still exist
posted Hide Post
quote:
Originally posted by ensigmatic:


If I go to the trouble of setting up a VPN, WireGuard is what I'll probably use.


Good to know. Thanks.


.
 
Posts: 11213 | Location: 45 miles from the Pacific Ocean | Registered: February 28, 2003Reply With QuoteReport This Post
All the time
Picture of Gear.Up
posted Hide Post
quote:
Originally posted by ensigmatic:
Last time: That's now how this stuff works. That's now how any of this stuff works.


I'm not sure why the misunderstanding here but we must be talking about different things.

Would you agree that it's possible to decrypt traffic via proxy server, inline method, etc.?
 
Posts: 2320 | Location: East TN | Registered: July 28, 2010Reply With QuoteReport This Post
  Powered by Social Strata Page 1 2  
 

SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    What shows up on network firewalls when workstations use a VPN ?

© SIGforum 2024