I work for a snooping kind of company where I would not put it past them to watch what I do on my personal home computer if they could.
Can they "see" what I do on my home laptop when I vpn from home on my work laptop?
Often I am asked by my manager to use Nortel VPN to connect to the work network using my home ISP on my work-owned portable Windows XP laptop. At the same time, I am on my home WinXP PC connecting through the same Linksys wireless router.
I'm pretty sure when I do not VPN in from the work computer, they can't "see" what I do on the home computer ..... but when I vpn in on the work computer on the same network as the home computer .. .... can they "see" what I do on the home computer?
Does VPN compromise my home security or is my home PC activity still secure?
It's not the VPN - that's the tunnel between systems. It's what is installed and running on the works laptop including any works modified VPN software. Personally I wouldn't allow it. The whole friggin world wants to get in your computer worse than a teenage boy wants to get in your daughters pants.
Well, first anything you do on your "work" laptop is subject to monitoring by your company. Its their laptop after all. Just don't do anything on that laptop you might regret.
Secondly if the VPN is setup correctly you will not be able to access your home LAN and other local PCs shared files/folders while connected through the VPN to your work network. I always setup my OpenVPN server to force all client traffic through the tunnel and back to the work network. That is a basic security measure to isolate the work network from the remote network.
Thirdly you could setup firewall software on your home PCs to block access to shared files/folders from your work laptop.
Basically you need to use some common sense and some practical security measures on your home LAN.
Get a different job. Deprive them of a good employee by going elsewhere. Make them lose all the money they've invested in you. Otherwise you're just continuing to enable their abuse.
Generally no. Most VPN connections are designed so that ONLY the connecting computer is attached to the remote network. Otherwise they'd be opening up the whole network to abuse from other computers on the connecting side of the VPN. Think about it, if you connect from a coffee shop it'd let everyone else get into the work network too. Not a good idea, not at all.
No. But if you're running XP on the other computer simply enable the firewall. You'll see any notifications about connection attempts.
No more or less secure that without the VPN connection.
Sometimes there are just one or two individuals who think it is their job to snoop as hard as they can. Sometimes it's a management philosophy.
The OP can test that... open a shared volume from laptop to desktop, or start a "ping -t" in both directions, then log on to the Nortel VPN. The local connection should break, and not be available to restart.
And be quite surprised at all the trash floating around, different servers and services trying to connect...
I see attempts from MSSQL servers and clients, vulnerability checks for various weaknesses, maybe from the good guys, maybe from bad guys, backup software, stuff I haven't bothered to track down...
Have a look at the exceptions list on the work machine's XP firewall... There might be snoopy software installed and allowed. I have seen installations where a private copy of VNCserver is installed and running, so support can access your system for troubleshooting... of course they can also watch anything you are doing, with your desktop visible to them as if they were sitting in your chair.
True of the VPN. If the laptop is allowed to connect to the local network without the VPN turned on, then the local computer might be subject to some unwanted examination. If you are concerned about corporate snooping of your home PC, the laptop should never be connected to your home network. You can't get a VPN connection without connecting to the local network first, so there will be exposure, unless, as someone else noted, you move to a DMZ of some sort.
That's an interesting philosophy.. Wonder who is legally liable for what employees do on the VPN to their home computer.... Like if you spam or spy from your home computer, while at work, by using a VPN from your work computer.. who is gonna get pinched?
Seems to me that whomever is liable, should be able to snoop or say no you can't do that.... Interesting you assume that the person is a good employee.. How do you know they aren't spamming or spying from their home system, while at work via a vpn, and assuming they can get away with anything illegal cuz the company is on the hook?
That's the reverse of the VPN utilization that I think was being presented. An employee, using a company-provided laptop, is at home, connecting to the corporate VPN. He's worried that the company is going to snoop his personal home computer via the VPN that he is using.
I don't think I entertained the idea that the employee was or was not a good employee.
If the company provides the laptop, they get to sniff whatever they want on that laptop. I think legal precedent has been established for that. They do not get free access to snoop the home computer.
Spamming via the corporate network, regardless of where the employee is located at the time, is misuse of the corporate network. I don't see how you could expect that the "company is on the hook". The employee, logged in via a VPN server that keeps records of the logins, is hardly anonymous.
I was going by this "I'm pretty sure when I do not VPN in from the work computer, they can't "see" what I do on the home computer ..... but when I vpn in on the work computer on the same network as the home computer .. .... can they "see" what I do on the home computer?
That seemed like using the work computer to access the home computer....
However, Even if it was from home to work, I do still sort of wonder about who gets pinched if an illegal activity occcurs... IE if you work from home, and do something illegal, are you liable or is the company liabel?
What corporation would risk the bad press and breach of trust for such a dubious and worthless pastime? Even a hint of such snooping in a wrongful termination suit is likely to turn against the corporation. Unless your on the board of dictators of HP, I wouldn't worry about it much.
Again, it depends on how it's setup.
However, if you're that paranoid the company will discover your collection of morally degenerate p*rn, copyright violations, or correspondence with the corporation, there's an easy way to be sure they can't snoop. Install a 2nd router between your p*rn server and the main router. Set it up for NAT but on a different class C subnet. For example, if your main router puts your clients on 192.168.1.xxx, then setup the 2nd NAT router for 192.168.2.xxx. There's no easy way for your evil emplolyer to go backwards through the 2nd router unless you punch it full of holes (port forwarding or triggering). This is commonly called "double NAT". The downside is that some services that do require port forwarding will need to be accomidated. For example, if you're running VNC, you'll need to port forward 5800 and 5900 in
*BOTH* routers. It's a bit of work, but no big deal.
Nothing wrong with that. That's the whole purpose of issuing you a work-owned laptop.
Actually, the office VPN is more at risk than you are. If your other machines are worm, virus, trojan, and spyware infested, they could easily attack or infect the corporate LAN via the VPN. Hopefully, your IT department has take steps to defend themselves.
I assume the home computer is a different computer than your company issued laptop. If the VPN client is located on the laptop, and the VPN is properly setup, then the office LAN can only see the laptop and not the home computer. If the VPN originates in the router, then the office LAN can see your entire home network. If your company also issued you a decent router, that isolates the VPN client from the rest of the LAN in hardware, such as a Sonicwall , then the office can only see your laptop.
Asking the same question 3 times will not yield a better answer. Whether your activities are secure are totally dependent on your VPN setup, of which I only know that you're using a Nortel VPN client on a company owned laptop. If you want specific opinions as to your security status, you might consider disclosing some details.
But I think the "work computer" is at home, connecting to the corporate VPN. The question was whether his personal computer is now visible to the company. What he's missing is that when the VPN connects, his access to the network that is in the same room is lost.
One would expect that the evildoer is the one in trouble for doing evil.
There could be some argument that the company is facilitating the evil by giving him network access, but in the case of VPN, that access is riding on some other access that the evildoer already has in place. In any even, one might assume that illegal activities are against company policy, providing some shield for the corporation.
A lot of sniffing and snooping may be going on, under the guise of "corporate security". Unless there is a termination or other blatant disclosure, one might never know what has been observed.
That wouldn't exactly be the case in a normal setup. Those other vile computers would probably have no access to the corporate LAN, because they aren't running Nortel clients, and the "normal" LAN has no access to the work PC once it connects to the VPN.
The big exposure is that he is only occasionally required to use the VPN, implying that the work PC might be infected at some time while not under the corporate security umbrella.
Hmmm. That wouldn't be a "Nortel VPN" connection then... it should be more obviously a corporate router, which wasn't mentioned, and is unlikely, since the VPN portion of the connection has been described as occasional.
Hard to say. Asking three times in slightly different fashion can certainly elicit N^3 different responses ;-)
I would be more worried about the home network, but if your IT guys are clueless...
That's why we(tinw) require all computers connecting to our trusted network be purchased by, or consigned to, "the "corp". If someone wants to use a home computer to do business on our networks, they will have to sign a release of their computer asset over to the corporation. By doing that, they are able to load all licensed corporate software on their home computer, including security software, that is required for access to our networks. They never have to surrender their own computer equipment, unless, of course, there is a need for a forensic investigation. Forced software updates and policy enforcement is mandatory BEFORE being allowed on to the trusted networks, and then all communication across the VPN tunnel is logged.
It's entirely possible, but highly unlikely.
It is possible. If you don't want to be exposed, you could restrict user access to your home computers by logging into your work laptop with a different username/password, one that can't access your other systems (also make sure your network shares have the proper user restrictions.) There is always the possibility of exploits/user/pasword guessing/cracking/keyloggers/etc.. that can be used by a determined snooper, but you really have to ask yourself; are you actually worth all that to your company?
No. VPN is an encryption protocol that rides on the TCP carrier protocol. VPN encrypts the traffic between your machine the client VPN solution (one valid vpn end point) and the server vpn solution (one valid vpn end point). It prevents some one from eavesdropping on the data traffic between your machine and the company's network.
I doubt that they care about what you're doing from your machine. There only so much you can do anyway.
Maybe, maybe not and there would have to be a hidden back door installed on the machine the so they could see your every move and keystroke.
So? What, are you thinking they can see what you're doing from your home machine because you have them both connected to a router? They don't care and are not looking. It's impossible for them to do that anyway.
No, you're the one that compromises your home security by not doing Safe Hex.
VPN is just a data privacy solution between your machine and the company's network over the Internet, so no one can eavesdrop on the data/traffic.
That would seem a bit paranoid but possible. The company would need a good reason to justify such a fishing expedition. There would also need to be some evidence of wrong doing, documented procedures for the inevitable trial or labor board hearing, and possibly proof of secure handling of the accumulated evidence. If the evil corporation is going fishing, it would be considered good form if the fish were suitable for litigation or termination. Otherwise, why bother?
From my limited experiences, some companies do sniff internet traffic in order to detect viruses and leakage of internal documents. I installed a sniffer long ago that looked for specific project names in SMTP packets. However, that's about the limits of sniffing that I've seen.
Snooping around a users network backwards via VPN is possible. One software company installs VNC and SSH in addition to the usual IPSec VPN client on their users laptops. The purpose is not for the admins to spy on their programmers, but rather so that the programmers can pickup files from their home machines in a secure manner. VNC is setup to only operate inside the VPN tunnel. However, it would be fairly easy to use VNC to spy on the rest of the users home LAN.
Agreed. The "normal" VPN setup disconnects the local LAN and sends all traffic through the remote VPN gateway. Every time I connect, I immediately lose my local networked printer, any local servers, my IM connections, Skype goes dead, etc. Some reconnect via the VPN if there is an internet connection at the other end of the tunnel, but the LAN stays disconnected.
However, that's the "normal". It would not take much imagination to visualize a method by which the "normal" VPN security can be compromised. Setting the default gateway to NOT go through the tunnel to the remove VPN router is a good start. Bridging the ethernet interface to a wireless device is another. Adding forensic "helper" applications will certainly do the job.
I used to assume that corporate laptops had their security fairly well nailed down with security templates and Windoze group policy management.
I took a close look at some allegedly secure laptops owned some banks, insurance companies, and medical offices. Methinks that malware infection is a definite risk and I'm amazed that it doesn't happen more often with such laptops.
I don't have any experience with Nortel VPN's, but I guess(tm) that it's just another IPSec VPN with the usual assortment of encapsulation, authentication, and encryption options. As long as Nortel hasn't added anything proprietary, it should work with any VPN device including the hardware VPN routers such as Sonicwall. Nortel does make a small VPN router (Model 600), but you're correct that the OP probably doesn't have one as it's more suitable for a branch office than a home user. |
Have you ever noticed that if you ask a doctor or lawyer for an opinion, you'll never get a single answer? You always get multiple possibilities leaving you with the responsibility of making the decision. If you decide incorrectly, the doctor or lawyer can claim it wasn't their advice that sent you astray, it was your decision. In keeping with such established procedures, I always muddle my answers with a surplus of possibilities, thus offering me an easy way out if I happen to be wrong.
On Tue 03 Oct 2006 07:13:50p, Jeff Liebermann took the time to tell us all in news: firstname.lastname@example.org:
Plenty do. Look at the name of this NG, J
Not both, just the subnet connected to the VPN machine. Great suggestion, though as that's sort of what I have.
The only ? is if the 2 machines share on the LAN when not connected to the VPN and then one forwards info?paranoid yes, but then so was the idea that the Germans might get a nuke before we did. They almost did. Nothing is stopping a company from using security software to monitor what you share with other machines.