We help IT Professionals succeed at work.

VPN Exposure

212 Views
Last Modified: 2017-05-23
In my experience connecting to a corporate VPN makes my computer a part of another network.  This means that my computer and possibly other computers on my network are now visible to the corporate vpn.  Would this also hold true of retail vpn suppliers now being able to probe my local network for vulnerabilities?
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
It may depend in part on the specific VPN characteristics . I suppose it is possible, however.

Author

Commented:
Always suspicious John.  Effectively a VPN could provide a backdoor into an organisation.  If the VPN connection is made at the router then the whole network would be vulnerable.  Not sure anyone especially an organisation should open this door...

Author

Commented:
Would you recommend a public VPN to your clients?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
No. I do not know exactly what they run. I only use / recommend private business VPN.
Natty GregIn Theory (IT)
CERTIFIED EXPERT

Commented:
When connecting from a laptop, mobile devices, then can only see that device, the only other way is if you had setup site to site vpn.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
We have both client to gateway and gateway to gateway operating and it is the gateway to gateway that allows multiple devices to access.
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
You have 2 secure choices:

1. Setup RRAS server in your company and open all required ports for VPN connection and add users that going to use VPN from outside to VPN Group and allow only this group to use VPN, then setup dial -up client (new network connection) on user computers outside your company to give them access to your corporate network (thiw will require login and password from users - members of VPN group)

2. Side-to-Side VPN. If you have 2 firewalls on both sides (one in your corporation, second on other network) and both firewalls supporting Site-to-Side VPN (like SonicWall) then you can setup very secure connection between those firewalls based on listener name and encrypted Key) so all people on both sides of VPN will be able to see both networks and have access to share folders.

Never use Public VPN, since is quite easy to broke for middle skill hacker.

Author

Commented:
Thanks for your feedback.  This is potentially a big problem.  Employees hoping to do some browsing from their work computer without "big brother" looking at them can have their browser use a vpn by simply running a plugin provided by the VPN retailer.  They may see it as harmless but it effectively creates a security vulnerability.  Any ideas on how to prevent this?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Do not use public VPN. I think that is not a good idea.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If the VPN is a browser based system, prevent the site in your firewall.

If the VPN is an appliance, do not let employees install software.

Author

Commented:
I agree John, but I am worried that either BYOD or some enterprising but naive employee may not realise the impact this may have.  Ideally we need a way to stop this possibility from happening.  Unfortunately this might not be possible.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
There is nothing you can do about people's own gear. We generally keep employees iPhones and whatever on a guest wireless not connected to company gear.

There is only so much you can do, almost all of which is outlined above.

Author

Commented:
Yes I agree.  Thanks again John.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Would this also hold true of retail vpn suppliers now being able to probe my local network for vulnerabilities?
The way VPNs are generally set up, the answer would be no. The computer would have to be compromised in order to gain access to the other network (which is where I know your concern lies). But that would generally be someone accessing the machine from somewhere on the internet, not via the VPN connection.

Employees hoping to do some browsing from their work computer without "big brother" looking at them can have their browser use a vpn by simply running a plugin provided by the VPN retailer.  They may see it as harmless but it effectively creates a security vulnerability.  Any ideas on how to prevent this?
Do you have reason to allow outbound VPN connections from your network? If not, then you could just block outbound VPN connections. Exact method depends on the firewall you have.

Tons of places have moved away from BYOD for a number of reasons, including legal ones. Like if data is required from a device, how does one ensure not accessing the personal data on the device? Or even the question of device wiping. Disallowing BYOD is one of the simpler methods to preventing a subset of potential issues.

John is right from the standpoint of having guest networks for when people do bring their personal devices to the office for web browsing. I also agree with him on various blocks sites in the cases of web based VPNs. (In terms of sites requiring clients, see my question about VPNs that should be allowed)
In Theory (IT)
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
We have provided a good range of solutions. Can you please come back and close?

Author

Commented:
Thank you all for your contribution to this discussion.  I have appreciated your insight and advise.  There are so may ways in and it is difficult to find some of them.  I guess when there is an AI device that can spend all of its time looking for suspicious activity then we can rest a little easier.

Regards,

George Dullege
CTO Jeneri IT

Author

Commented:
Thanks again.
Natty GregIn Theory (IT)
CERTIFIED EXPERT

Commented:
You're welcome
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.