Does work VPN always compromise home privacy?

[dold@XReXXDoesX.usenet.us.com]

In alt.internet.wireless Peter Pan <PeterPanNOSPAM@akamailnospam.com> wrote:

> I was going by this
> "I'm pretty sure when I do not VPN in from the work computer, they can't
> "see" what I do on the home computer ..... but when I vpn in on the work
> computer on the same network as the home computer .. .... can they "see"
> what I do on the home computer?

> That seemed like using the work computer to access the home computer....

But I think the "work computer" is at home, connecting to the corporate
VPN. The question was whether his personal computer is now visible to the
company. What he's missing is that when the VPN connects, his access to
the network that is in the same room is lost.

> However, Even if it was from home to work, I do still sort of wonder
> about who gets pinched if an illegal activity occcurs... IE if you work
> from home, and do something illegal, are you liable or is the company
> liabel?

One would expect that the evildoer is the one in trouble for doing evil.

There could be some argument that the company is facilitating the evil by
giving him network access, but in the case of VPN, that access is riding on
some other access that the evildoer already has in place. In any even, one
might assume that illegal activities are against company policy, providing
some shield for the corporation.

--
---
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

[dold@XReXXDoesX.usenet.us.com]

In alt.internet.wireless Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
> >I work for a snooping kind of company where I would not put it past
> >them to watch what I do on my personal home computer if they could.

> What corporation would risk the bad press and breach of trust for such
> a dubious and worthless pastime? Even a hint of such snooping in a
> wrongful termination suit is likely to turn against the corporation.
> Unless your on the board of dictators of HP, I wouldn't worry about it
> much.

A lot of sniffing and snooping may be going on, under the guise of
"corporate security". Unless there is a termination or other blatant
disclosure, one might never know what has been observed.

> Actually, the office VPN is more at risk than you are. If your other
> machines are worm, virus, trojan, and spyware infested, they could
> easily attack or infect the corporate LAN via the VPN. Hopefully,
> your IT department has take steps to defend themselves.

That wouldn't exactly be the case in a normal setup. Those other vile
computers would probably have no access to the corporate LAN, because they
aren't running Nortel clients, and the "normal" LAN has no access to the
work PC once it connects to the VPN.

The big exposure is that he is only occasionally required to use the VPN,
implying that the work PC might be infected at some time while not under
the corporate security umbrella.

> I assume the home computer is a different computer than your company
> issued laptop. If the VPN client is located on the laptop, and the
> VPN is properly setup, then the office LAN can only see the laptop and
> not the home computer. If the VPN originates in the router, then the
> office LAN can see your entire home network.

Hmmm. That wouldn't be a "Nortel VPN" connection then... it should be more
obviously a corporate router, which wasn't mentioned, and is unlikely,
since the VPN portion of the connection has been described as occasional.

> Asking the same question 3 times will not yield a better answer.

Hard to say. Asking three times in slightly different fashion can
certainly elicit N^3 different responses ;-)

--
---
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

[prodigal1]

On Tue, 03 Oct 2006 16:13:50 -0700, Jeff Liebermann wrote:
> What corporation would risk the bad press and breach of trust for such a
> dubious and worthless pastime?

This is a joke..yes?

[Andy Walker]

lisa harkema wrote:

>Does work vpn compromise home privacy & security?

I would be more worried about the home network, but if your IT guys
are clueless...

>I work for a snooping kind of company where I would not put it past
>them to watch what I do on my personal home computer if they could.

That's why we(tinw) require all computers connecting to our trusted
network be purchased by, or consigned to, "the "corp". If someone
wants to use a home computer to do business on our networks, they will
have to sign a release of their computer asset over to the
corporation. By doing that, they are able to load all licensed
corporate software on their home computer, including security
software, that is required for access to our networks. They never have
to surrender their own computer equipment, unless, of course, there is
a need for a forensic investigation. Forced software updates and
policy enforcement is mandatory BEFORE being allowed on to the trusted
networks, and then all communication across the VPN tunnel is logged.

>Can they "see" what I do on my home laptop when I vpn from home on my
>work laptop?

It's entirely possible, but highly unlikely.

>Often I am asked by my manager to use Nortel VPN to connect to the
>work network using my home ISP on my work-owned portable Windows XP
>laptop. At the same time, I am on my home WinXP PC connecting through
>the same Linksys wireless router.

It is possible. If you don't want to be exposed, you could restrict
user access to your home computers by logging into your work laptop
with a different username/password, one that can't access your other
systems (also make sure your network shares have the proper user
restrictions.) There is always the possibility of
exploits/user/pasword guessing/cracking/keyloggers/etc.. that can be
used by a determined snooper, but you really have to ask yourself; are
you actually worth all that to your company?

YMMV

[MINISOFT]

lisa harkema wrote:
> Does work vpn compromise home privacy & security?

No. VPN is an encryption protocol that rides on the TCP carrier
protocol. VPN encrypts the traffic between your machine the client VPN
solution (one valid vpn end point) and the server vpn solution (one
valid vpn end point). It prevents some one from eavesdropping on the
data traffic between your machine and the company's network.

>
> I work for a snooping kind of company where I would not put it past
> them to watch what I do on my personal home computer if they could.

I doubt that they care about what you're doing from your machine. There
only so much you can do anyway.
>
> Can they "see" what I do on my home laptop when I vpn from home on my
> work laptop?

Maybe, maybe not and there would have to be a hidden back door installed
on the machine the so they could see your every move and keystroke.
>
> Often I am asked by my manager to use Nortel VPN to connect to the
> work network using my home ISP on my work-owned portable Windows XP
> laptop. At the same time, I am on my home WinXP PC connecting through
> the same Linksys wireless router.


So? What, are you thinking they can see what you're doing from your home
machine because you have them both connected to a router? They don't
care and are not looking. It's impossible for them to do that anyway.


>
> I'm pretty sure when I do not VPN in from the work computer, they
> can't "see" what I do on the home computer ..... but when I vpn in on
> the work computer on the same network as the home computer .. .... can
> they "see" what I do on the home computer?

NO!

>
> Does VPN compromise my home security or is my home PC activity still
> secure?

No, you're the one that compromises your home security by not doing Safe
Hex.

http://www.claymania.com/safe-hex.html

VPN is just a data privacy solution between your machine and the
company's network over the Internet, so no one can eavesdrop on the
data/traffic.

Duane

[Jeff Liebermann]

dold@XReXXDoesX.usenet.us.com hath wroth:

>A lot of sniffing and snooping may be going on, under the guise of
>"corporate security". Unless there is a termination or other blatant
>disclosure, one might never know what has been observed.

That would seem a bit paranoid but possible. The company would need a
good reason to justify such a fishing expedition. There would also
need to be some evidence of wrong doing, documented procedures for the
inevitable trial or labor board hearing, and possibly proof of secure
handling of the accumulated evidence. If the evil corporation is
going fishing, it would be considered good form if the fish were
suitable for litigation or termination. Otherwise, why bother?

From my limited experiences, some companies do sniff internet traffic
in order to detect viruses and leakage of internal documents. I
installed a sniffer long ago that looked for specific project names in
SMTP packets. However, that's about the limits of sniffing that I've
seen.

Snooping around a users network backwards via VPN is possible. One
software company installs VNC and SSH in addition to the usual IPSec
VPN client on their users laptops. The purpose is not for the admins
to spy on their programmers, but rather so that the programmers can
pickup files from their home machines in a secure manner. VNC is
setup to only operate inside the VPN tunnel. However, it would be
fairly easy to use VNC to spy on the rest of the users home LAN.

>That wouldn't exactly be the case in a normal setup. Those other vile
>computers would probably have no access to the corporate LAN, because they
>aren't running Nortel clients, and the "normal" LAN has no access to the
>work PC once it connects to the VPN.

Agreed. The "normal" VPN setup disconnects the local LAN and sends
all traffic through the remote VPN gateway. Every time I connect, I
immediately lose my local networked printer, any local servers, my IM
connections, Skype goes dead, etc. Some reconnect via the VPN if
there is an internet connection at the other end of the tunnel, but
the LAN stays disconnected.

However, that's the "normal". It would not take much imagination to
visualize a method by which the "normal" VPN security can be
compromised. Setting the default gateway to NOT go through the tunnel
to the remove VPN router is a good start. Bridging the ethernet
interface to a wireless device is another. Adding forensic "helper"
applications will certainly do the job.

>The big exposure is that he is only occasionally required to use the VPN,
>implying that the work PC might be infected at some time while not under
>the corporate security umbrella.

I used to assume that corporate laptops had their security fairly well
nailed down with security templates and Windoze group policy
management.
http://www.cisecurity.com
Then, I took a close look at some allegedly secure laptops owned some
banks, insurance companies, and medical offices. Methinks that
malware infection is a definite risk and I'm amazed that it doesn't
happen more often with such laptops.

>Hmmm. That wouldn't be a "Nortel VPN" connection then... it should be more
>obviously a corporate router, which wasn't mentioned, and is unlikely,
>since the VPN portion of the connection has been described as occasional.

I don't have any experience with Nortel VPN's, but I guess(tm) that
it's just another IPSec VPN with the usual assortment of
encapsulation, authentication, and encryption options. As long as
Nortel hasn't added anything proprietary, it should work with any VPN
device including the hardware VPN routers such as Sonicwall. Nortel
does make a small VPN router (Model 600), but you're correct that the
OP probably doesn't have one as it's more suitable for a branch office
than a home user.
| http://products.nortel.com/go/produc...?prod_id=34760

>> Asking the same question 3 times will not yield a better answer.

>Hard to say. Asking three times in slightly different fashion can
>certainly elicit N^3 different responses ;-)

Have you ever noticed that if you ask a doctor or lawyer for an
opinion, you'll never get a single answer? You always get multiple
possibilities leaving you with the responsibility of making the
decision. If you decide incorrectly, the doctor or lawyer can claim
it wasn't their advice that sent you astray, it was your decision. In
keeping with such established procedures, I always muddle my answers
with a surplus of possibilities, thus offering me an easy way out if I
happen to be wrong.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

[alien]

"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:eml7i2hajqpqdp7vom4r4s1ojqpmljj3r2@4ax.com...

.....big snip....

> I always muddle my answers
> with a surplus of possibilities, thus offering me an easy way out if I
> happen to be wrong.
>
> --
> Jeff Liebermann jeffl@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

Shouldn't there be an "or not" at the end of your sentence then?

alien

[BJ Honeycut]

On Tue 03 Oct 2006 07:13:50p, Jeff Liebermann <jeffl@comix.santa-
cruz.ca.us> took the time to tell us all in
news:4iq5i29so42ckh3i715ghv9v4eqir0uk9t@4ax.com:

> lisa harkema <lisa.harkema@gmail.com> hath wroth:
>
>>Does work vpn compromise home privacy & security?
>
> That depends on how it's setup.
>
>>I work for a snooping kind of company where I would not put it past
>>them to watch what I do on my personal home computer if they could.
>
> What corporation would risk the bad press and breach of trust for such
> a dubious and worthless pastime? Even a hint of such snooping in a
> wrongful termination suit is likely to turn against the corporation.
> Unless your on the board of dictators of HP, I wouldn't worry about it
> much.

Plenty do. Look at the name of this NG, J

>>Can they "see" what I do on my home laptop when I vpn from home on my
>>work laptop?
>
> Again, it depends on how it's setup.
>
> However, if you're that paranoid the company will discover your
> collection of morally degenerate porn, copyright violations, or
> correspondence with the corporation, there's an easy way to be sure
> they can't snoop. Install a 2nd router between your porn server and
> the main router. Set it up for NAT but on a different class C subnet.
> For example, if your main router puts your clients on 192.168.1.xxx,
> then setup the 2nd NAT router for 192.168.2.xxx. There's no easy way
> for your evil emplolyer to go backwards through the 2nd router unless
> you punch it full of holes (port forwarding or triggering). This is
> commonly called "double NAT". The downside is that some services that
> do require port forwarding will need to be accomidated. For example,
> if you're running VNC, you'll need to port forward 5800 and 5900 in
> *BOTH* routers. It's a bit of work, but no big deal.
>
Not both, just the subnet connected to the VPN machine. Great suggestion,
though as that's sort of what I have.

>>Often I am asked by my manager to use Nortel VPN to connect to the
>>work network using my home ISP on my work-owned portable Windows XP
>>laptop.
>
> Nothing wrong with that. That's the whole purpose of issuing you a
> work-owned laptop.
>
>>At the same time, I am on my home WinXP PC connecting through
>>the same Linksys wireless router.
>
> Actually, the office VPN is more at risk than you are. If your other
> machines are worm, virus, trojan, and spyware infested, they could
> easily attack or infect the corporate LAN via the VPN. Hopefully,
> your IT department has take steps to defend themselves.
>
>>I'm pretty sure when I do not VPN in from the work computer, they
>>can't "see" what I do on the home computer ..... but when I vpn in on
>>the work computer on the same network as the home computer .. .... can
>>they "see" what I do on the home computer?
>
> I assume the home computer is a different computer than your company
> issued laptop. If the VPN client is located on the laptop, and the
> VPN is properly setup, then the office LAN can only see the laptop and
> not the home computer. If the VPN originates in the router, then the
> office LAN can see your entire home network. If your company also
> issued you a decent router, that isolates the VPN client from the rest
> of the LAN in hardware, such as a Sonicwall , then the office can
> only see your laptop.
>
The only ? is if the 2 machines share on the LAN when not connected to the
VPN and then one forwards info…paranoid yes, but then so was the idea that
the Germans might get a nuke before we did. They almost did.
Nothing is stopping a company from using security software to monitor what
you share with other machines.

>>Does VPN compromise my home security or is my home PC activity still
>>secure?
>
> Asking the same question 3 times will not yield a better answer.
> Whether your activities are secure are totally dependent on your VPN
> setup, of which I only know that you're using a Nortel VPN client on a
> company owned laptop. If you want specific opinions as to your
> security status, you might consider disclosing some details.
>
>
>



--
"Time will bring to light whatever is hidden;
it will cover up and conceal what is now shining in splendor."
Horace (65 - 8 BC); Roman poet.

Mike