cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Murky VPN : Partially open for secure communication...?

 

Hi

 

Please help me to clear my ambiguity regarding VPNs

 

VPN will not make me fully anonymous on line, it does to some extent , reasons could be many, just for example log files by VPN service providers, or legal obligations etc. It's okay.

 

My question is how does VPN make my communication private/secure to "non-https" website?

 

If the VPN connect is to https website we can understand that SSL/TLS encrypted communication takes place between the VPN server and https website .

 

If the connection is to any Organization's private network , i assume the communication between the VPN server and the Organization's private network will be handles by some VPN server setup or by some VPN communication protocols(PPTP,L2TP/ IPSec etc) by the VPN provider on the premises of the org LAN.. ... (am not sure..is it the way?)


So, without a VPN, my connection is fully open, anyone with the right tools can look at my data. Using a VPN solves the problems by encrypting my transmission and making it appear as if it’s the VPN server itself that’s making the connection and not me. But how does it handle the other half of the transmission from VPN server to destination website? 

 

Does it partially  open?  End to End encryption possible ?

 

Thanks

 

 

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
12 Replies
Caute_cautim
Community Champion

Okay, lets go back to basics:  A user's browser interacts with a public web browser, via a handshake negotiation, where the server controls the cryptographic standards it accepts based on the organisations security policies applied.  It enforces the appropriate policies on the user's browser i.e. these days TLS V1.2 is the normal standard also known as HTTPS, so the interactions between both remain private or secure.

 

However, if an bad intermediary manages to step in as a "person-in-the-middle (PC got me), then technically they could with a proxy, interact with the negotiation and make you think you have a secure connection, but read all the data that is available.  There are techniques to detect such attacks, which the organisation server, can be set to reduce the likelihood of this.   Previously before HTTPS was mandated for the Internet, the number of "person-in-the-middle" attacks was rife, and causing major issues.

 

Technically the User browser and the organisations Server sets up a point to point secure connection during the period the users browser is interacting etc. 

 

You normally use a fixed VPN between a business partner or supplier, to whom you trust, and you agree, negotiate the security standard required, and how it should be put in place etc.  There many types, including SSL/TLS VPN using certificates, or full VPN, using gateways, routers or similar solutions to provide point to point solutions.  You can use an IPSec or IKE algorithms or even use PKI certificates depending on the organisations policies.

 

There are configurations, which quite frankly are not safe with a VPN, for instance split tunneling, - so by policy and mutual agreement - you agree the configuration and standards you need to apply between you and other party.  

 

These days, many organisations are now moving to Software Defined Networks or SDNs, which automatically set up policies, routes with an organisation, defined by policies determined centrally, automatically, including the provisioning of IPS, gateway, firewall/router or even switch and anti malware protection as part of the solution.

 

Does this help or cause further murk in the waters?

 

Regards

 

Caute_cautim

iluom
Contributor II

Hey, thanks for replying..but i'm not clear yet.
Let me make my question bit clear.
I have a VPN subscription from a provider. I got my VPN client installed on my personal device. Now i would like to connect a website which is http://www.iluom.com. It's not a https we site.
It's hosted on a web server. When i connect to VPN to reach the web site i use my VPN service, my data is encrypted since i'm using their application, goes in encrypted form to the ISP then to the VPN server. The VPN server is the third party that connects to the web on my behalf. Now from this point the VPN server should take it forward, but there is no secure session or TLS handshake between VPN server and www.iluom.com. it's a open communication to the website. So in this scenario , how does VPN help me to secure the info?
I'm not sure if i'm missing something to get the point.
Chandra Mouli, CISSP, CCSP, CSSLP
AlecTrevelyan
Community Champion

Correct, in your example the traffic is unencrypted from the VPN server to your website, and if someone can intercept that unencrypted traffic then they can look into it. Who said it would be protected in this instance?

 

Your VPN will only protect your traffic up to the VPN Server. If you want end to end encryption then you need to change your website to use HTTPS, or only connect to websites using HTTPS - most websites on the WWW now also/only offer HTTPS. To be absolutely sure no one is snooping on your traffic check each website's certificate is all in order when you connect.

 

Personal VPNs are generally promoted for anonymisation purposes which you identified in your first post. Many of them don't keep any logs, but you also need to be careful they are not leaking your details:

 

https://www.comparitech.com/vpn/vpn-leaks/

 

EDIT: updated to make it clear when I'm talking about the VPN server and the website.

 

Shannon
Community Champion

 

Let me try to simplify it...

 

There's a VPN user (A), a VPN server (B) and a destination server (C). When the user communicates with C, the traffic path will be A --- B --- C.

 

The VPN tunnel itself only gets established between A and B, so ALL traffic between these points will be secured.

 

There won't be any tunneling between B and C --- so unless the destination server uses HTTPS, traffic between these points won't be secured.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
iluom
Contributor II

Great. Thank you.
What would be the case with remote Access to your desktop using VPN?

If point C belongs to an Org and if VPN provider has an agreement with it regarding the secure session establishment, will that be possible to secure the traffic between B--C

Regards
Chandra Mouli, CISSP, CCSP, CSSLP
Shannon
Community Champion

 

@iluom, as I'd asked on your post related to Malware detection --- what's your objective? Since you mentioned Remote Desktop, check this article; perhaps it provides info on what you're looking for...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
denbesten
Community Champion

The underlying reality is that the server gets to decide how clients to connect to it.  If the server only accepts encryption, you must encrypt.  If it only accepts clear-text, you can not encrypt.    

 

VPN providers simply aggregate many clients to make it look like they are all in the provider's building.  They can not change the underlying way that the server works.

 

Using a VPN provider:

  1. Makes a stalker believe that the only place you go is to the VPN provider.
  2. Hides the contents of what you send to the VPN provider from stalkers.  
  3. Still allows the stalker to see your how often you are online, the size of each connection and when each connection happens.
  4. Makes the server believe you are located in the VPN provider's building.
  5. Does not change what a stalker can see with respect to the communications from the VPN provider to the server.

A VPN provider can be effective if you want to hide international communications from your own government, but you can not do very much to hide from "everyone" without cooperation from the company which owns the server. 

AlecTrevelyan
Community Champion


@iluom wrote:
Great. Thank you.
What would be the case with remote Access to your desktop using VPN?

If point C belongs to an Org and if VPN provider has an agreement with it regarding the secure session establishment, will that be possible to secure the traffic between B--C

Regards

I agree that we'd need to understand the full set of requirements to be able to advise properly, but to answer the question as stated...

 

Assumptions:

 

  • You are not using encrypted protocols to access host C (e.g. HTTPS, SSH and RDP).
  • Any applications you are using between A and C don't encrypt communications between them.
  • B and C are not on the same physical LAN where you could use other mechanisms to secure traffic between them.
  • You need network layer access between A and C.

To secure the traffic between B and C would require an IPsec VPN tunnel between them. Just to clarify the IPsec VPN tunnel would terminate directly on B and C. If the tunnel does not terminate directly on B and C then there will always be a portion of the traffic path where the traffic is unencrypted based on the assumptions above.

 

Will you be able to find a VPN provider who will setup an IPsec VPN tunnel from their VPN server to a desktop? This is unlikely but technically possible.

 

Assuming they did agree to do this for you:

 

  1. A connects to B using its VPN client.
  2. The VPN client changes the routing table on A to force it to send all traffic destined for anywhere down the tunnel to B (I'm assuming split tunnelling is not enabled).
  3. A tries to connect to C.
  4. The traffic destined for C is routed down the VPN tunnel from A to B.
  5. Once the traffic hits B, B checks its routing table and knows to forward traffic destined for C down the IPsec VPN tunnel between B and C.
  6. The traffic now arrives at C.
  7. As long as the routing tables are all correct on B and C any return traffic follows the reverse path (C > B > A) and arrives back at A.

The above is more likely to be seen in a corporate network. Users connect using a VPN client to a firewall. The firewall then has an IPsec VPN connection to a remote site rather than a single desktop. However, the premise is the same with the users being able to gain access to resources on the remote site via the firewall and the 2 VPNs.

 

rslade
Influencer II

> iluom (Contributor I) posted a new topic in Tech Talk on 04-06-2019 02:34 AM in

>     Please help me to clear my ambiguity regarding VPNs   VPN will not
> make me fully anonymous on line

First off, a very important point: just because VPN stands for "virtual private
netowrk" doesn't necessarily mean that it keeps you anonymous in any way. The
"private" part refers to management (your ability to manage a network link over
a public network), not necessarily encryption. There are many VPN technologies.
Some have encryption (or encryption capabilities, and you have to turn them on
to use them) and many, many don't.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Just go out there and do what you've got to do.
- Martina Navratilova
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468