Remote Access VPN

Muckles · ‎12-22-2017

I recently saw something that interested me on social media. There was a discussion involving a few different people about how to connect their corporate laptops to their personal smart TVs while homeworking, so they could view files on larger screens. Presumably these people connect into the corporate network using a VPN from their laptops through their home routers. I’m immediately uncomfortable with the idea of connecting a (presumably) managed, corporate device, to essentially, another computer. I can imagine getting questions about this at some point and want to work through the details and get the risks clear in my mind.

There were a range of suggestions of how to do it. I can boil these down to connecting the laptop to the router wirelessly and the smart TV to the router wirelessly so the two devices were communicating through the router. Or the same connections but by Ethernet. I don't quite understand how either of these proposed solutions are even technically possible if the VPN is initiated by a VPN client on the laptop and, therefore, the packets are encrypted between the laptop and the RAS/NAS server on the network. The other solution was to cable the laptop direct to the smart TV using the HDMI port.

Has anyone any experience of this or can anyone suggest anywhere I could start my research with?

Badfilemagic · ‎12-22-2017

Depending on the VPN client itself and other security controls on the endpoint, split tunneling is possible. Chances are high that users have IPv6 at home without knowing it and no IPv6 at work. Lack of routes for v6 traffic into the tunnel will create a natural split tunnel if v6 isn’t disabled on the laptop. So, assuming you have Concast, which provides v6 to the home, all your devices probably have v6 addresses and your corp VPN isn’t tunneling v6; access via v6 addresses is therefor straight forward even with the tunnel enabled, so long as the application on the tv supports it.

-- wdf//CISSP, CSSLP

Muckles · ‎12-22-2017

Wow, I didn't realise that. Thanks very much for the reply.

Badfilemagic · ‎12-22-2017

The bigger issue with the split tunneling of ipv6 isn’t the smart tv scenario, it is the rest of the internet. Modern browsers are programmed to prefer AAAA records over A records, so if a site has an ipv6 presence and the endpoint has an ipv6 address and routes, it will be used. That means sites like Facebook, twitter, etc. which may be against organizational policy will potentially be unobservable when workers are at home. Use of services like dropbox, which are likely to be banned or at least curtailed, may also evade border security controls when workers are at home, even if they are on the VPN.

Additionally, phishing sites or those serving driveby downloads via ipv6 would leak around your firewall/ips and the attacker could pwn a remote employee and then leverage the v4 vpn tunnel to access your enterprise resources, pivoting through the compromised endpoint which is splitting v6 out and not sending it through the vpn.

Short answer is, if you don’t have internal IPv6 and aren’t going to tunnel it is to disable it on the endpoints (via Windows GPO or whatever) to prevent the problem outright. But that just falls under “disable services you aren’t using” more generally. Making sure you have appropriate firewall rules in place to cover v6 if you do have a feed to your enterprise is also a must, of course; don’t just rely on defaults — they are often wrong, and as much of a joke as ipv6 adoption is, more people have it than realize, especially at home.

-- wdf//CISSP, CSSLP

tsawyer · ‎12-22-2017

Good Morning. I noticed your post and think we all may be overcomplicating the situation. Without more information I could not say for sure but from the text I read I thought they meant they were using the TV as a large monitor. If they are using HDMI to connect the laptop to the TV, the VPN client software is not on the SMART TV directly.

Now if you're raising a concern of a corporate asset connected to network where other devices may connect, that ship has already left the dock, set sail and fallen off the horizon. Users already connect to their home network and unless you already have a policy to completely control THEIR network the only option is the create strong security policies on the corporate assets. Things like not granting users admin rights (or creating 2 account, 1 regular operating and 1 privileged account), disabling the Windows File and Printer Sharing service, disabling any unneeded user accounts/services and insuring updates (AV and OS) from Vendor or corporate asset. I've worked with a company that had 0 Information Security Polices and when the virus hit, they still did not learn their lesson. Despite the fact a home machine was permitted to infect the corporate network, they refused to implement proper controls.

I would recommend asking more detailed questions on exactly how they are using their assets at home before trying to implementing compensating controls. If you're going to allocate time and resources to the concern, best to make sure you're getting bang for your buck.

Badfilemagic · ‎12-22-2017

Yeah, if they are plugged in via HDMI it is a different situation. The bit i keyed in on was related to connecting wirelessly via wifi, while on the vpn. Just pointing out it is possible, and that just because there is a VPN doesn’t mean there is the level of protection assumed. But you are right, there are a broad swath of security controls and mitigations which need to be considered depending on the details of the situation, and we don’t have all of them.

-- wdf//CISSP, CSSLP

Muckles · ‎01-02-2018

Thanks for all of the advice which will help me do a bit of research on the subject.