VPN & Privacy - Help me understand?
October 1, 2008 1:50 PM Subscribe
I work remotely on occasion and have just been told that in the near future remote work access to terminal services will require that we install VPN software on our personal/home computers. Understandable - and, more to the point, out of my control - but what I would like to understand is what kind of access this will give my office IT system to my home system.
If they're so inclined, could they monitor/log all internet traffic from my home computer - even traffic from a separate browser outside of the terminal services program? Can they gather any information from my home computer that I don't purposefully send via terminal services? If I'm logged out of terminal services, does that stop them from any kind of potential monitoring or information gathering of my private system?
I don't really think anyone in IT has the time or inclination to gather information maliciously about my private affairs - nor is there anything actionable on my home system. However, I'm a little on the paranoid side when it comes to privacy in general, so I'd like to know what I'm getting into.
Help?
If they're so inclined, could they monitor/log all internet traffic from my home computer - even traffic from a separate browser outside of the terminal services program? Can they gather any information from my home computer that I don't purposefully send via terminal services? If I'm logged out of terminal services, does that stop them from any kind of potential monitoring or information gathering of my private system?
I don't really think anyone in IT has the time or inclination to gather information maliciously about my private affairs - nor is there anything actionable on my home system. However, I'm a little on the paranoid side when it comes to privacy in general, so I'd like to know what I'm getting into.
Help?
As I understand it, when you go thru a VPN, all traffic gets redirected thru that connection. Best bet is to have a dedicated work machine, or turn off all your Internet dependent applications.
posted by wongcorgi at 2:00 PM on October 1, 2008 [1 favorite]
posted by wongcorgi at 2:00 PM on October 1, 2008 [1 favorite]
FWIW, where I work we dont recommend this. We give them a laptop or desktop for remote access. This gives us a lot of advantages, not to least of which is not being liable for getting into your personal stuff.
posted by damn dirty ape at 2:01 PM on October 1, 2008
posted by damn dirty ape at 2:01 PM on October 1, 2008
If you're logged into a VPN, you act as a machine on that network. You're doled out an address that, yes, they could analyze the traffic of.
The easy solution is to just turn off the VPN when you're not using it. It's usually slower than your normal internet traffic anyway.
posted by mkultra at 2:02 PM on October 1, 2008
The easy solution is to just turn off the VPN when you're not using it. It's usually slower than your normal internet traffic anyway.
posted by mkultra at 2:02 PM on October 1, 2008
Seconding damn dirty ape. My husband works remotely and uses a laptop provided by the company. If your company won't supply a laptop for you to use at home, maybe consider purchasing a laptop for work use only.
posted by cooker girl at 2:04 PM on October 1, 2008
posted by cooker girl at 2:04 PM on October 1, 2008
As noted, the VPN is two way. In the process of installing VPN client software, they could install other software that basically backdoors your system and gives them access to whatever they want. At the very least, they are likely to install something like Cisco Secure Desktop which allows the VPN server to probe your computer to be sure that antivirus software is installed and up to date, that there isn't a keystroke logger installed, etc before completing the connection. Similar software can also push out and install new software when a client connects to the VPN.
Really, they could do anything they want. I imagine that they'd have some sort of policy in place describing what they do, and if they don't they should. It will be horribly one-sided in their favor, but at least it will give you a sense of what the worst they want to do is.
posted by Good Brain at 2:07 PM on October 1, 2008
Really, they could do anything they want. I imagine that they'd have some sort of policy in place describing what they do, and if they don't they should. It will be horribly one-sided in their favor, but at least it will give you a sense of what the worst they want to do is.
posted by Good Brain at 2:07 PM on October 1, 2008
You say "Understandable," but I'm in the camp that holds that this isn't understandable, due to the "anything they want" aspects others have pointed out. There's a reason my company's 100% laptop-based, and everyone else I know who works remotely has a company-issued machine to do it with. The real and imaginable liability issues are through the roof.
posted by Tomorrowful at 2:12 PM on October 1, 2008
posted by Tomorrowful at 2:12 PM on October 1, 2008
I don't know what kind of work they expect you to do from home, but you can also sandbox the VPN-ed computer using virtualization (run the VPM computer in a virtual computer, hosted by your own computer) or live CDs (boot into another operating system, common for Linux).
I agree that it's a bit absurd for a company to demand you install its VPN software and provide them access to your own personal computer - bad on both sides.
posted by meowzilla at 2:14 PM on October 1, 2008
I agree that it's a bit absurd for a company to demand you install its VPN software and provide them access to your own personal computer - bad on both sides.
posted by meowzilla at 2:14 PM on October 1, 2008
Response by poster: oy. I was afraid of that. Guess I will be running that VPN on a separate laptop and not my main desktop. One more question - what kind of acces, if any, will they have to other computers on my home network? In additin to the laptop I also have a PC desktop and an iMac on the network. Sometimes my phone, too.
posted by Mirandala at 2:15 PM on October 1, 2008
posted by Mirandala at 2:15 PM on October 1, 2008
Response by poster: by way of possible explanation re: the demand that we install VPN on our own systems, it's not a private company - it's a gov't agency. No money to give us all company laptops for occasional remote work, combined with an overburdened, underfunded outside IT contract. Which is part of the reason that I don't think they're going to be snooping around and part of the reason that I wouldn't bet against it.
posted by Mirandala at 2:21 PM on October 1, 2008
posted by Mirandala at 2:21 PM on October 1, 2008
One more question - what kind of acces, if any, will they have to other computers on my home network?
If I have VPN access, then I'm on your LAN. Do you have unprotected shares? If so I can read them.
posted by damn dirty ape at 2:34 PM on October 1, 2008
If I have VPN access, then I'm on your LAN. Do you have unprotected shares? If so I can read them.
posted by damn dirty ape at 2:34 PM on October 1, 2008
The ultimate answer to your questions is "as much as the computer it's running on".
"What kind of access this will give my office IT system to my home system?" - "As much as the computer it's running on".
"What kind of access will they have to other computers on my home network?" - "As much as the computer it's running on".
(It doesn't have to, of course - but that's the worst-case, and usually default, scenario.)
posted by Pinback at 2:34 PM on October 1, 2008
"What kind of access this will give my office IT system to my home system?" - "As much as the computer it's running on".
"What kind of access will they have to other computers on my home network?" - "As much as the computer it's running on".
(It doesn't have to, of course - but that's the worst-case, and usually default, scenario.)
posted by Pinback at 2:34 PM on October 1, 2008
Mirandala, download virtualbox, and make a new fake, pristine computer. Install the VPN software there, and use that to access your company network. They can never break out of that jail to reach your host computer / personal stuff.
posted by cmiller at 2:35 PM on October 1, 2008
posted by cmiller at 2:35 PM on October 1, 2008
Response by poster: This is sucking more and more. Any way to block access from anything? Thanks for all the responses, by the way.
posted by Mirandala at 2:38 PM on October 1, 2008
posted by Mirandala at 2:38 PM on October 1, 2008
Just assume they can take all the files. In that case use encryption for sensitive stuff, or everything if you like. TrueCrypt is easy to use and cross-platform.
Put passwords on the shares on your LAN.
posted by damn dirty ape at 2:59 PM on October 1, 2008
Put passwords on the shares on your LAN.
posted by damn dirty ape at 2:59 PM on October 1, 2008
This is precisely the problem that this guy had: people on his network wanted access to a VPN but also wanted strong security. His solution? A Linux live CD that didn't touch the hard drive, so that you could stick the disk in, disconnect your home network cable, reboot the computer, and use the VPN through your computer without anybody seeing anything on your hard drive - absolute security, even beyond encryption, since nobody can decrypt what they can't see.
The downside is that it's pretty computer-knowledge intensive. Here are the instructions. If you know anybody who might like doing this stuff, who hacks around a bit, then that might be a good solution.
Otherwise, it is probably safe to trust yourself to encryption - especially if you're not dealing in high-security info and you're not really expecting people to be trying to get into your business.
posted by koeselitz at 3:50 PM on October 1, 2008 [1 favorite]
The downside is that it's pretty computer-knowledge intensive. Here are the instructions. If you know anybody who might like doing this stuff, who hacks around a bit, then that might be a good solution.
Otherwise, it is probably safe to trust yourself to encryption - especially if you're not dealing in high-security info and you're not really expecting people to be trying to get into your business.
posted by koeselitz at 3:50 PM on October 1, 2008 [1 favorite]
Response by poster: Ok - thanks for the extra explanation. I'm not an IT expert - I'm more on a know-enough-to-be-dangerous-to-myself level - so I welcome any and all comments. Just so I'm sure I'm getting the message here -
If I run the office VPN software on my home PC, but I don't currently have sharing enabled for the other computers on my LAN (they can connect to the network and get to the internet - but I can't open up Explorer and see them), then the office, on the other side of the VPN, can't see any computers on my LAN except the one I'm using? Or do I have it wrong?
If I have it right, and the office can only get through the VPN to the computer it's running on and the computer it's running on can't see any of the other computers logged into the LAN, then I might be able to use a dedicated laptop to do office work without sharing access to my main computer's hard drive? Or, in the alternative, what if I use a dedicated laptop for VPN access and wire it directly into my cable modem without going through my router?
Sorry to keep asking similar questions - I just want to make sure my non-IT-trained brain is picking up on the right information.
posted by Mirandala at 4:55 PM on October 1, 2008
If I run the office VPN software on my home PC, but I don't currently have sharing enabled for the other computers on my LAN (they can connect to the network and get to the internet - but I can't open up Explorer and see them), then the office, on the other side of the VPN, can't see any computers on my LAN except the one I'm using? Or do I have it wrong?
If I have it right, and the office can only get through the VPN to the computer it's running on and the computer it's running on can't see any of the other computers logged into the LAN, then I might be able to use a dedicated laptop to do office work without sharing access to my main computer's hard drive? Or, in the alternative, what if I use a dedicated laptop for VPN access and wire it directly into my cable modem without going through my router?
Sorry to keep asking similar questions - I just want to make sure my non-IT-trained brain is picking up on the right information.
posted by Mirandala at 4:55 PM on October 1, 2008
If I have it right, and the office can only get through the VPN to the computer it's running on and the computer it's running on can't see any of the other computers logged into the LAN, then I might be able to use a dedicated laptop to do office work without sharing access to my main computer's hard drive?
Yes. Hi, I'm the guy who does this VPN stuff. Possibly for you, I don't know where you work.
What you're asking is "I want to tie my computer to your network." I don't know what virus protection you have, if you've been trojaned, etc. So, I'm going to want to keep an eye on you, etc.
Once the network is up, yes, I can see your computer, depending on what privileges you have set (and what compromised software you've picked up. :-) )
There are ways to make us both happy.
1) Independent computer that *only* talks to the office. If you ask nicely, we might even give you one.
2) Thin clients. Right now, I have a mostly configured Wyse V90L right here. You plug it it, turn it on, it boots, connects to the VPN, runs VDM, and connects to the broker. You log it, you get your work desktop. Your computer? I never touch it. This makes us both very, very happy.
3) Virtual Machines. Get a VM player, like VMware Player. Run a VM that has the software you need to connect and work. That firewalls your machine from the company (and visa-versa). If your IT department has a clue*, they'll build a VM that you can use with VMPlayer or whatnot, and do all the hard work for you.
See -- it's not because we're bastards**, it's because we have to protect our side of the network, and we'd love to make sure you could protect your side of your network as well.
Talk to us. We'll help you get the right answer.***
*Holy shit, why didn't I think of this before? I know what I'm doing tomorrow!
** Okay, we are. But often, we're friendly bastards on your side. Really.
*** Unless you have one of those all-dick all-the-time IT departments, in which case, I'm sorry, we're not all like that.
posted by eriko at 5:30 PM on October 1, 2008 [2 favorites]
Yes. Hi, I'm the guy who does this VPN stuff. Possibly for you, I don't know where you work.
What you're asking is "I want to tie my computer to your network." I don't know what virus protection you have, if you've been trojaned, etc. So, I'm going to want to keep an eye on you, etc.
Once the network is up, yes, I can see your computer, depending on what privileges you have set (and what compromised software you've picked up. :-) )
There are ways to make us both happy.
1) Independent computer that *only* talks to the office. If you ask nicely, we might even give you one.
2) Thin clients. Right now, I have a mostly configured Wyse V90L right here. You plug it it, turn it on, it boots, connects to the VPN, runs VDM, and connects to the broker. You log it, you get your work desktop. Your computer? I never touch it. This makes us both very, very happy.
3) Virtual Machines. Get a VM player, like VMware Player. Run a VM that has the software you need to connect and work. That firewalls your machine from the company (and visa-versa). If your IT department has a clue*, they'll build a VM that you can use with VMPlayer or whatnot, and do all the hard work for you.
See -- it's not because we're bastards**, it's because we have to protect our side of the network, and we'd love to make sure you could protect your side of your network as well.
Talk to us. We'll help you get the right answer.***
*Holy shit, why didn't I think of this before? I know what I'm doing tomorrow!
** Okay, we are. But often, we're friendly bastards on your side. Really.
*** Unless you have one of those all-dick all-the-time IT departments, in which case, I'm sorry, we're not all like that.
posted by eriko at 5:30 PM on October 1, 2008 [2 favorites]
Response by poster: Ha! Thanks for that answer - we contracted our IT work out and the incentive for most of the front line IT people is to close whatever "ticket" they had to open when you called them - not necessarily to fix your problem. It's basically a matter of finding the people further up the chain who know what they're doing - and then hoping that someone even further up gave them the authority to actually fix the problem.
Anyway - sounds like I might just have to go w/ the dedicated extra laptop for work and then try to isolate it as much as possible from the rest of the machines on the home network.
posted by Mirandala at 5:43 PM on October 1, 2008
Anyway - sounds like I might just have to go w/ the dedicated extra laptop for work and then try to isolate it as much as possible from the rest of the machines on the home network.
posted by Mirandala at 5:43 PM on October 1, 2008
I will disagree with wongcorgi, who said, "As I understand it, when you go thru a VPN, all traffic gets redirected thru that connection."
This may be true, but not necessarily. It depends on how your VPN is configured. For instance, I use the VPN facility built into Mac OS X to connect to my corporate network. The way it is configured, when the VPN is connected, any traffic directed to the corporate intranet goes through the VPN. Any network traffic that hits the plain ole internet (google.com, for instance) routes through my home ISP as usual.
If you are wise in the way of traceroute, you can test how your particular corporate VPN solution works.
posted by browse at 7:42 PM on October 1, 2008
This may be true, but not necessarily. It depends on how your VPN is configured. For instance, I use the VPN facility built into Mac OS X to connect to my corporate network. The way it is configured, when the VPN is connected, any traffic directed to the corporate intranet goes through the VPN. Any network traffic that hits the plain ole internet (google.com, for instance) routes through my home ISP as usual.
If you are wise in the way of traceroute, you can test how your particular corporate VPN solution works.
posted by browse at 7:42 PM on October 1, 2008
This thread is closed to new comments.
Yes. VPN is two way. They control the settings of the VPN. I would consider all things that are not encrypted to be in the hands of your company. Perhaps that's too paranoid, but its doable.
I wouldnt be surprised if this isnt already possible via TS/RDP. Why not? The client can map the local drives, so we know its possible. How likely is the real question.
If I'm logged out of terminal services, does that stop them from any kind of potential monitoring or information gathering of my private system?
If the VPN tunnel is still active then no, this wont stop them.
posted by damn dirty ape at 2:00 PM on October 1, 2008