Does work VPN always compromise home privacy?

[lisa harkema]

Does work vpn compromise home privacy & security?

I work for a snooping kind of company where I would not put it past
them to watch what I do on my personal home computer if they could.

Can they "see" what I do on my home laptop when I vpn from home on my
work laptop?

Often I am asked by my manager to use Nortel VPN to connect to the
work network using my home ISP on my work-owned portable Windows XP
laptop. At the same time, I am on my home WinXP PC connecting through
the same Linksys wireless router.

I'm pretty sure when I do not VPN in from the work computer, they
can't "see" what I do on the home computer ..... but when I vpn in on
the work computer on the same network as the home computer .. .... can
they "see" what I do on the home computer?

Does VPN compromise my home security or is my home PC activity still
secure?

 

[David P]

Does work vpn compromise home privacy & security?

I work for a snooping kind of company where I would not put it past them
to watch what I do on my personal home computer if they could.

Can they "see" what I do on my home laptop when I vpn from home on my work
laptop?

Often I am asked by my manager to use Nortel VPN to connect to the work
network using my home ISP on my work-owned portable Windows XP laptop. At
the same time, I am on my home WinXP PC connecting through the same
Linksys wireless router.

I'm pretty sure when I do not VPN in from the work computer, they can't
"see" what I do on the home computer ..... but when I vpn in on the work
computer on the same network as the home computer .. .... can they "see"
what I do on the home computer?

Does VPN compromise my home security or is my home PC activity still
secure?

It's not the VPN - that's the tunnel between systems. It's what is
installed and running on the works laptop including any works modified
VPN software. Personally I wouldn't allow it. The whole friggin world
wants to get in your computer worse than a teenage boy wants to get in
your daughters pants.

 

[David P]

Does work vpn compromise home privacy & security?

I work for a snooping kind of company where I would not put it past them
to watch what I do on my personal home computer if they could.

Can they "see" what I do on my home laptop when I vpn from home on my work
laptop?

Often I am asked by my manager to use Nortel VPN to connect to the work
network using my home ISP on my work-owned portable Windows XP laptop. At
the same time, I am on my home WinXP PC connecting through the same
Linksys wireless router.

I'm pretty sure when I do not VPN in from the work computer, they can't
"see" what I do on the home computer ..... but when I vpn in on the work
computer on the same network as the home computer .. .... can they "see"
what I do on the home computer?

Does VPN compromise my home security or is my home PC activity still
secure?

Buy another router/whatever and have the works pc outside of the the home
system (in the internal systems DMZ). That may be enough.

 

[David P]

Does work vpn compromise home privacy & security?

I work for a snooping kind of company where I would not put it past them
to watch what I do on my personal home computer if they could.

Can they "see" what I do on my home laptop when I vpn from home on my work
laptop?

Often I am asked by my manager to use Nortel VPN to connect to the work
network using my home ISP on my work-owned portable Windows XP laptop. At
the same time, I am on my home WinXP PC connecting through the same
Linksys wireless router.

I'm pretty sure when I do not VPN in from the work computer, they can't
"see" what I do on the home computer ..... but when I vpn in on the work
computer on the same network as the home computer .. .... can they "see"
what I do on the home computer?

Does VPN compromise my home security or is my home PC activity still
secure?

Buy another router/whatever and have the works pc outside of the the home
system (in the internal systems DMZ). That may be enough.

 

[Sooner Al [MVP]]

Well, first anything you do on your "work" laptop is subject to monitoring
by your company. Its their laptop after all. Just don't do anything on that
laptop you might regret.

Secondly if the VPN is setup correctly you will not be able to access your
home LAN and other local PCs shared files/folders while connected through
the VPN to your work network. I always setup my OpenVPN server to force all
client traffic through the tunnel and back to the work network. That is a
basic security measure to isolate the work network from the remote network.

Thirdly you could setup firewall software on your home PCs to block access
to shared files/folders from your work laptop.

Basically you need to use some common sense and some practical security
measures on your home LAN.

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

 

[Bill Kearney]

I work for a snooping kind of company where I would not put it past

them to watch what I do on my personal home computer if they could.

Get a different job. Deprive them of a good employee by going elsewhere.
Make them lose all the money they've invested in you. Otherwise you're just
continuing to enable their abuse.

Can they "see" what I do on my home laptop when I vpn from home on my
work laptop?

Generally no. Most VPN connections are designed so that ONLY the connecting
computer is attached to the remote network. Otherwise they'd be opening up
the whole network to abuse from other computers on the connecting side of
the VPN. Think about it, if you connect from a coffee shop it'd let
everyone else get into the work network too. Not a good idea, not at all.

I'm pretty sure when I do not VPN in from the work computer, they
can't "see" what I do on the home computer ..... but when I vpn in on
the work computer on the same network as the home computer .. .... can
they "see" what I do on the home computer?

No. But if you're running XP on the other computer simply enable the
firewall. You'll see any notifications about connection attempts.

Does VPN compromise my home security or is my home PC activity still
secure?

No more or less secure that without the VPN connection.

 

[dold]

Get a different job. Deprive them of a good employee by going elsewhere.

Sometimes there are just one or two individuals who think it is their job
to snoop as hard as they can. Sometimes it's a management philosophy.

Generally no. Most VPN connections are designed so that ONLY the connecting
computer is attached to the remote network. Otherwise they'd be opening up

The OP can test that... open a shared volume from laptop to desktop, or
start a "ping -t" in both directions, then log on to the Nortel VPN.
The local connection should break, and not be available to restart.

No. But if you're running XP on the other computer simply enable the
firewall. You'll see any notifications about connection attempts.

And be quite surprised at all the trash floating around, different servers
and services trying to connect...

I see attempts from MSSQL servers and clients, vulnerability checks for
various weaknesses, maybe from the good guys, maybe from bad guys, backup
software, stuff I haven't bothered to track down...

Have a look at the exceptions list on the work machine's XP firewall...
There might be snoopy software installed and allowed.
I have seen installations where a private copy of VNCserver is installed
and running, so support can access your system for troubleshooting... of
course they can also watch anything you are doing, with your desktop
visible to them as if they were sitting in your chair.

No more or less secure that without the VPN connection.

True of the VPN. If the laptop is allowed to connect to the local network
without the VPN turned on, then the local computer might be subject to some
unwanted examination. If you are concerned about corporate snooping of
your home PC, the laptop should never be connected to your home network.
You can't get a VPN connection without connecting to the local network
first, so there will be exposure, unless, as someone else noted, you move
to a DMZ of some sort.

 

[Peter Pan]

Sometimes there are just one or two individuals who think it is their
job to snoop as hard as they can. Sometimes it's a management
philosophy.

That's an interesting philosophy.. Wonder who is legally liable for what
employees do on the VPN to their home computer.... Like if you spam or spy
from your home computer, while at work, by using a VPN from your work
computer.. who is gonna get pinched?

Seems to me that whomever is liable, should be able to snoop or say no you
can't do that.... Interesting you assume that the person is a good
employee.. How do you know they aren't spamming or spying from their home
system, while at work via a vpn, and assuming they can get away with
anything illegal cuz the company is on the hook?

 

[dold]

That's an interesting philosophy.. Wonder who is legally liable for what
employees do on the VPN to their home computer.... Like if you spam or
spy from your home computer, while at work, by using a VPN from your work
computer.. who is gonna get pinched?

That's the reverse of the VPN utilization that I think was being presented.
An employee, using a company-provided laptop, is at home, connecting to the
corporate VPN. He's worried that the company is going to snoop his
personal home computer via the VPN that he is using.

Seems to me that whomever is liable, should be able to snoop or say no
you can't do that.... Interesting you assume that the person is a good
employee.. How do you know they aren't spamming or spying from their home
system, while at work via a vpn, and assuming they can get away with
anything illegal cuz the company is on the hook?

I don't think I entertained the idea that the employee was or was not a
good employee.

If the company provides the laptop, they get to sniff whatever they want on
that laptop. I think legal precedent has been established for that. They
do not get free access to snoop the home computer.

Spamming via the corporate network, regardless of where the employee is
located at the time, is misuse of the corporate network. I don't see how
you could expect that the "company is on the hook". The employee, logged
in via a VPN server that keeps records of the logins, is hardly anonymous.

 

[Peter Pan]

That's the reverse of the VPN utilization that I think was being
presented. An employee, using a company-provided laptop, is at home,
connecting to the corporate VPN. He's worried that the company is
going to snoop his personal home computer via the VPN that he is
using.


I don't think I entertained the idea that the employee was or was not
a good employee.

If the company provides the laptop, they get to sniff whatever they
want on that laptop. I think legal precedent has been established
for that. They do not get free access to snoop the home computer.

Spamming via the corporate network, regardless of where the employee
is located at the time, is misuse of the corporate network. I don't
see how you could expect that the "company is on the hook". The
employee, logged in via a VPN server that keeps records of the
logins, is hardly anonymous.

I was going by this
"I'm pretty sure when I do not VPN in from the work computer, they
can't "see" what I do on the home computer ..... but when I vpn in on
the work computer on the same network as the home computer .. .... can
they "see" what I do on the home computer?

That seemed like using the work computer to access the home computer....

However, Even if it was from home to work, I do still sort of wonder about
who gets pinched if an illegal activity occcurs... IE if you work from home,
and do something illegal, are you liable or is the company liabel?

 

[Jeff Liebermann]

Does work vpn compromise home privacy & security?

That depends on how it's setup.

I work for a snooping kind of company where I would not put it past
them to watch what I do on my personal home computer if they could.

What corporation would risk the bad press and breach of trust for such
a dubious and worthless pastime? Even a hint of such snooping in a
wrongful termination suit is likely to turn against the corporation.
Unless your on the board of dictators of HP, I wouldn't worry about it
much.

Can they "see" what I do on my home laptop when I vpn from home on my
work laptop?

Again, it depends on how it's setup.

However, if you're that paranoid the company will discover your
collection of morally degenerate porn, copyright violations, or
correspondence with the corporation, there's an easy way to be sure
they can't snoop. Install a 2nd router between your porn server and
the main router. Set it up for NAT but on a different class C subnet.
For example, if your main router puts your clients on 192.168.1.xxx,
then setup the 2nd NAT router for 192.168.2.xxx. There's no easy way
for your evil emplolyer to go backwards through the 2nd router unless
you punch it full of holes (port forwarding or triggering). This is
commonly called "double NAT". The downside is that some services that
do require port forwarding will need to be accomidated. For example,
if you're running VNC, you'll need to port forward 5800 and 5900 in
*BOTH* routers. It's a bit of work, but no big deal.

Often I am asked by my manager to use Nortel VPN to connect to the
work network using my home ISP on my work-owned portable Windows XP
laptop.

Nothing wrong with that. That's the whole purpose of issuing you a
work-owned laptop.

At the same time, I am on my home WinXP PC connecting through
the same Linksys wireless router.

Actually, the office VPN is more at risk than you are. If your other
machines are worm, virus, trojan, and spyware infested, they could
easily attack or infect the corporate LAN via the VPN. Hopefully,
your IT department has take steps to defend themselves.

I'm pretty sure when I do not VPN in from the work computer, they
can't "see" what I do on the home computer ..... but when I vpn in on
the work computer on the same network as the home computer .. .... can
they "see" what I do on the home computer?

I assume the home computer is a different computer than your company
issued laptop. If the VPN client is located on the laptop, and the
VPN is properly setup, then the office LAN can only see the laptop and
not the home computer. If the VPN originates in the router, then the
office LAN can see your entire home network. If your company also
issued you a decent router, that isolates the VPN client from the rest
of the LAN in hardware, such as a Sonicwall , then the office can
only see your laptop.

Does VPN compromise my home security or is my home PC activity still
secure?

Asking the same question 3 times will not yield a better answer.
Whether your activities are secure are totally dependent on your VPN
setup, of which I only know that you're using a Nortel VPN client on a
company owned laptop. If you want specific opinions as to your
security status, you might consider disclosing some details.

 

[dold]

I was going by this
"I'm pretty sure when I do not VPN in from the work computer, they can't
"see" what I do on the home computer ..... but when I vpn in on the work
computer on the same network as the home computer .. .... can they "see"
what I do on the home computer?

That seemed like using the work computer to access the home computer....

But I think the "work computer" is at home, connecting to the corporate
VPN. The question was whether his personal computer is now visible to the
company. What he's missing is that when the VPN connects, his access to
the network that is in the same room is lost.

However, Even if it was from home to work, I do still sort of wonder
about who gets pinched if an illegal activity occcurs... IE if you work
from home, and do something illegal, are you liable or is the company
liabel?

One would expect that the evildoer is the one in trouble for doing evil.

There could be some argument that the company is facilitating the evil by
giving him network access, but in the case of VPN, that access is riding on
some other access that the evildoer already has in place. In any even, one
might assume that illegal activities are against company policy, providing
some shield for the corporation.

 

[dold]

What corporation would risk the bad press and breach of trust for such
a dubious and worthless pastime? Even a hint of such snooping in a
wrongful termination suit is likely to turn against the corporation.
Unless your on the board of dictators of HP, I wouldn't worry about it
much.

A lot of sniffing and snooping may be going on, under the guise of
"corporate security". Unless there is a termination or other blatant
disclosure, one might never know what has been observed.

Actually, the office VPN is more at risk than you are. If your other
machines are worm, virus, trojan, and spyware infested, they could
easily attack or infect the corporate LAN via the VPN. Hopefully,
your IT department has take steps to defend themselves.

That wouldn't exactly be the case in a normal setup. Those other vile
computers would probably have no access to the corporate LAN, because they
aren't running Nortel clients, and the "normal" LAN has no access to the
work PC once it connects to the VPN.

The big exposure is that he is only occasionally required to use the VPN,
implying that the work PC might be infected at some time while not under
the corporate security umbrella.

I assume the home computer is a different computer than your company
issued laptop. If the VPN client is located on the laptop, and the
VPN is properly setup, then the office LAN can only see the laptop and
not the home computer. If the VPN originates in the router, then the
office LAN can see your entire home network.

Hmmm. That wouldn't be a "Nortel VPN" connection then... it should be more
obviously a corporate router, which wasn't mentioned, and is unlikely,
since the VPN portion of the connection has been described as occasional.

Asking the same question 3 times will not yield a better answer.

Hard to say. Asking three times in slightly different fashion can
certainly elicit N^3 different responses ;-)

 

[prodigal1]

What corporation would risk the bad press and breach of trust for such a
dubious and worthless pastime?

This is a joke..yes?

 

[Andy Walker]

Does work vpn compromise home privacy & security?

I would be more worried about the home network, but if your IT guys
are clueless...

I work for a snooping kind of company where I would not put it past
them to watch what I do on my personal home computer if they could.

That's why we(tinw) require all computers connecting to our trusted
network be purchased by, or consigned to, "the "corp". If someone
wants to use a home computer to do business on our networks, they will
have to sign a release of their computer asset over to the
corporation. By doing that, they are able to load all licensed
corporate software on their home computer, including security
software, that is required for access to our networks. They never have
to surrender their own computer equipment, unless, of course, there is
a need for a forensic investigation. Forced software updates and
policy enforcement is mandatory BEFORE being allowed on to the trusted
networks, and then all communication across the VPN tunnel is logged.

Can they "see" what I do on my home laptop when I vpn from home on my
work laptop?

It's entirely possible, but highly unlikely.

Often I am asked by my manager to use Nortel VPN to connect to the
work network using my home ISP on my work-owned portable Windows XP
laptop. At the same time, I am on my home WinXP PC connecting through
the same Linksys wireless router.

It is possible. If you don't want to be exposed, you could restrict
user access to your home computers by logging into your work laptop
with a different username/password, one that can't access your other
systems (also make sure your network shares have the proper user
restrictions.) There is always the possibility of
exploits/user/pasword guessing/cracking/keyloggers/etc.. that can be
used by a determined snooper, but you really have to ask yourself; are
you actually worth all that to your company?

YMMV

 

[MINISOFT]

Does work vpn compromise home privacy & security?

No. VPN is an encryption protocol that rides on the TCP carrier
protocol. VPN encrypts the traffic between your machine the client VPN
solution (one valid vpn end point) and the server vpn solution (one
valid vpn end point). It prevents some one from eavesdropping on the
data traffic between your machine and the company's network.

I work for a snooping kind of company where I would not put it past
them to watch what I do on my personal home computer if they could.

I doubt that they care about what you're doing from your machine. There
only so much you can do anyway.

Can they "see" what I do on my home laptop when I vpn from home on my
work laptop?

Maybe, maybe not and there would have to be a hidden back door installed
on the machine the so they could see your every move and keystroke.

Often I am asked by my manager to use Nortel VPN to connect to the
work network using my home ISP on my work-owned portable Windows XP
laptop. At the same time, I am on my home WinXP PC connecting through
the same Linksys wireless router.

So? What, are you thinking they can see what you're doing from your home
machine because you have them both connected to a router? They don't
care and are not looking. It's impossible for them to do that anyway.

I'm pretty sure when I do not VPN in from the work computer, they
can't "see" what I do on the home computer ..... but when I vpn in on
the work computer on the same network as the home computer .. .... can
they "see" what I do on the home computer?
NO!


Does VPN compromise my home security or is my home PC activity still
secure?

No, you're the one that compromises your home security by not doing Safe
Hex.

http://www.claymania.com/safe-hex.html

VPN is just a data privacy solution between your machine and the
company's network over the Internet, so no one can eavesdrop on the
data/traffic.

Duane

 

[Jeff Liebermann]

(e-mail address removed) hath wroth:

A lot of sniffing and snooping may be going on, under the guise of
"corporate security". Unless there is a termination or other blatant
disclosure, one might never know what has been observed.

That would seem a bit paranoid but possible. The company would need a
good reason to justify such a fishing expedition. There would also
need to be some evidence of wrong doing, documented procedures for the
inevitable trial or labor board hearing, and possibly proof of secure
handling of the accumulated evidence. If the evil corporation is
going fishing, it would be considered good form if the fish were
suitable for litigation or termination. Otherwise, why bother?

From my limited experiences, some companies do sniff internet traffic
in order to detect viruses and leakage of internal documents. I
installed a sniffer long ago that looked for specific project names in
SMTP packets. However, that's about the limits of sniffing that I've
seen.

Snooping around a users network backwards via VPN is possible. One
software company installs VNC and SSH in addition to the usual IPSec
VPN client on their users laptops. The purpose is not for the admins
to spy on their programmers, but rather so that the programmers can
pickup files from their home machines in a secure manner. VNC is
setup to only operate inside the VPN tunnel. However, it would be
fairly easy to use VNC to spy on the rest of the users home LAN.

That wouldn't exactly be the case in a normal setup. Those other vile
computers would probably have no access to the corporate LAN, because they
aren't running Nortel clients, and the "normal" LAN has no access to the
work PC once it connects to the VPN.

Agreed. The "normal" VPN setup disconnects the local LAN and sends
all traffic through the remote VPN gateway. Every time I connect, I
immediately lose my local networked printer, any local servers, my IM
connections, Skype goes dead, etc. Some reconnect via the VPN if
there is an internet connection at the other end of the tunnel, but
the LAN stays disconnected.

However, that's the "normal". It would not take much imagination to
visualize a method by which the "normal" VPN security can be
compromised. Setting the default gateway to NOT go through the tunnel
to the remove VPN router is a good start. Bridging the ethernet
interface to a wireless device is another. Adding forensic "helper"
applications will certainly do the job.

The big exposure is that he is only occasionally required to use the VPN,
implying that the work PC might be infected at some time while not under
the corporate security umbrella.

I used to assume that corporate laptops had their security fairly well
nailed down with security templates and Windoze group policy
management.
http://www.cisecurity.com
Then, I took a close look at some allegedly secure laptops owned some
banks, insurance companies, and medical offices. Methinks that
malware infection is a definite risk and I'm amazed that it doesn't
happen more often with such laptops.

Hmmm. That wouldn't be a "Nortel VPN" connection then... it should be more
obviously a corporate router, which wasn't mentioned, and is unlikely,
since the VPN portion of the connection has been described as occasional.

I don't have any experience with Nortel VPN's, but I guess(tm) that
it's just another IPSec VPN with the usual assortment of
encapsulation, authentication, and encryption options. As long as
Nortel hasn't added anything proprietary, it should work with any VPN
device including the hardware VPN routers such as Sonicwall. Nortel
does make a small VPN router (Model 600), but you're correct that the
OP probably doesn't have one as it's more suitable for a branch office
than a home user.
| http://products.nortel.com/go/product_content.jsp?prod_id=34760

Hard to say. Asking three times in slightly different fashion can
certainly elicit N^3 different responses ;-)

Have you ever noticed that if you ask a doctor or lawyer for an
opinion, you'll never get a single answer? You always get multiple
possibilities leaving you with the responsibility of making the
decision. If you decide incorrectly, the doctor or lawyer can claim
it wasn't their advice that sent you astray, it was your decision. In
keeping with such established procedures, I always muddle my answers
with a surplus of possibilities, thus offering me an easy way out if I
happen to be wrong.

 

[alien]

.....big snip....

I always muddle my answers
with a surplus of possibilities, thus offering me an easy way out if I
happen to be wrong.

--
Jeff Liebermann (e-mail address removed)-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Shouldn't there be an "or not" at the end of your sentence then?

alien

 

[BJ Honeycut]

That depends on how it's setup.


What corporation would risk the bad press and breach of trust for such
a dubious and worthless pastime? Even a hint of such snooping in a
wrongful termination suit is likely to turn against the corporation.
Unless your on the board of dictators of HP, I wouldn't worry about it
much.

Plenty do. Look at the name of this NG, J

Again, it depends on how it's setup.

However, if you're that paranoid the company will discover your
collection of morally degenerate porn, copyright violations, or
correspondence with the corporation, there's an easy way to be sure
they can't snoop. Install a 2nd router between your porn server and
the main router. Set it up for NAT but on a different class C subnet.
For example, if your main router puts your clients on 192.168.1.xxx,
then setup the 2nd NAT router for 192.168.2.xxx. There's no easy way
for your evil emplolyer to go backwards through the 2nd router unless
you punch it full of holes (port forwarding or triggering). This is
commonly called "double NAT". The downside is that some services that
do require port forwarding will need to be accomidated. For example,
if you're running VNC, you'll need to port forward 5800 and 5900 in
*BOTH* routers. It's a bit of work, but no big deal.

Not both, just the subnet connected to the VPN machine. Great suggestion,
though as that's sort of what I have.

Nothing wrong with that. That's the whole purpose of issuing you a
work-owned laptop.


Actually, the office VPN is more at risk than you are. If your other
machines are worm, virus, trojan, and spyware infested, they could
easily attack or infect the corporate LAN via the VPN. Hopefully,
your IT department has take steps to defend themselves.


I assume the home computer is a different computer than your company
issued laptop. If the VPN client is located on the laptop, and the
VPN is properly setup, then the office LAN can only see the laptop and
not the home computer. If the VPN originates in the router, then the
office LAN can see your entire home network. If your company also
issued you a decent router, that isolates the VPN client from the rest
of the LAN in hardware, such as a Sonicwall , then the office can
only see your laptop.

The only ? is if the 2 machines share on the LAN when not connected to the
VPN and then one forwards info…paranoid yes, but then so was the idea that
the Germans might get a nuke before we did. They almost did.
Nothing is stopping a company from using security software to monitor what
you share with other machines.

Asking the same question 3 times will not yield a better answer.
Whether your activities are secure are totally dependent on your VPN
setup, of which I only know that you're using a Nortel VPN client on a
company owned laptop. If you want specific opinions as to your
security status, you might consider disclosing some details.

--
"Time will bring to light whatever is hidden;
it will cover up and conceal what is now shining in splendor."
Horace (65 - 8 BC); Roman poet.

Mike