| 1 |
On Saturday 11 Jun 2016 21:04:27 Dale wrote: |
| 2 |
> Dutch Ingraham wrote: |
| 3 |
> > On Sat, Jun 11, 2016 at 05:57:11PM -0500, Dale wrote: |
| 4 |
> >> been wondering about. It mentioned using a VPN so that the NSA, my ISP |
| 5 |
> >> and others couldn't "see" what was going on. So, my first question, |
| 6 |
> >> does that work and does it require the site on the other end to have it |
| 7 |
> >> set up as well? Bonus question, is it easy to use on any site if it |
| 8 |
> >> doesn't require the other end to use it? I'm thinking of using this for |
| 9 |
> >> my banking/financial sites as well if it is a good idea. |
| 10 |
> > |
| 11 |
> > I tried a VPN for banking; as many different source IPs were showing as |
| 12 |
> > attempting to log into my online account, the bank thought I was being |
| 13 |
> > hacked and locked my accounts. Took many trips to the bank to create |
| 14 |
> > all new accounts, etc. |
| 15 |
> > |
| 16 |
> > As to VPNs in general, see: |
| 17 |
> > |
| 18 |
> > http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-> > the-state-of-vpns-in-2016/ |
| 19 |
> I sort of have a vague idea of what a VPN is but maybe some reading will |
| 20 |
> do me some good. Heading over to this link. |
| 21 |
> |
| 22 |
> Thanks. |
| 23 |
> |
| 24 |
> Dale |
| 25 |
> |
| 26 |
> :-) :-) |
| 27 |
|
| 28 |
A VPN connection is nothing more than an encrypted network connection between |
| 29 |
two end points (local & remote peers). You set up an encrypted tunnel and |
| 30 |
your application data travels through it. Both peers' network configurations |
| 31 |
have to be set up for this purpose. The VPN tunnel could be set up with |
| 32 |
another peer for the purpose of communicating securely with that peer alone, |
| 33 |
or to another device the remote peer will forward your packets to. In the |
| 34 |
latter case the VPN peer is acting as a VPN gateway to whatever lies beyond. |
| 35 |
Site to Site VPN connections behave like this. |
| 36 |
|
| 37 |
There are a number of different types of VPN, each employing different methods |
| 38 |
to exchange encryption keys between the peers securely and then to set up a |
| 39 |
secure network tunnel using these keys. L2TP+IPSec, OpenSSL, IKEv1/2+IPSec, |
| 40 |
etc. are all different VPN types. |
| 41 |
|
| 42 |
VPNs can be deployed for different use cases: |
| 43 |
|
| 44 |
Typically you set up a VPN to achieve site-to-site secure network |
| 45 |
communications - e.g. between your own LAN and your brother's, between a |
| 46 |
company's head office and a satellite office, etc. You would normally set |
| 47 |
this up between two edge routers which have a compatible VPN capability. Your |
| 48 |
Linksys may have VPN in its firmware, or if you flush it with dd- |
| 49 |
wrt/openwrt/tomato/etc. you will have VPN capability at your end at least. |
| 50 |
|
| 51 |
VPNs are also used to achieve PC-to-site secure communications, e.g. between a |
| 52 |
employee's laptop, iPhone, EPOS, et al., and the company's LAN. This is also |
| 53 |
known as a roadwarrior configuration and you could use it if you had a laptop |
| 54 |
and wanted to e.g. access some files on your home server. |
| 55 |
|
| 56 |
If you combine VPN tunnelling with packet forwarding then you could use the |
| 57 |
remote VPN gateway or another forwarding server in the LAN behind it, as a |
| 58 |
proxy server for your general Internet connections. Your connection to the |
| 59 |
VPN gateway will be encrypted and therefore your connection to the VPN gateway |
| 60 |
will be secure, even if you happen to be using an unsecured WiFi connection to |
| 61 |
the Internet at your local Starbux. The connection forwarded from the proxy |
| 62 |
server to the Internet may or may not be secure, depending on the application |
| 63 |
level encryption (e.g. HTTPS) that you are using at the time. This is one of |
| 64 |
the purposes Public VPN services cater for, allowing you to connect to the |
| 65 |
Internet securely. For a fee they allow you to connect to their VPN gateway |
| 66 |
and then forward your packets from there to any site on the Internet your |
| 67 |
application wants to connect to. The other purpose of Public VPNs is that |
| 68 |
their use achieves anonymity of your real IP address, as long as they have |
| 69 |
configured their forwarding correctly and the application running on your PC |
| 70 |
is not leaking your real IP address. This VPN-forwarding set up can be used |
| 71 |
to by-pass geo-blocking and is often used for this purpose too. |
| 72 |
|
| 73 |
Regarding your stated use case, it is highly unlikely your bank is offering a |
| 74 |
public VPN connection for its customers, for the purpose of online banking. |
| 75 |
What banks offer to customers is Layer 5 secure connectivity via HTTPS, which |
| 76 |
is configured/managed via the customer's browser and the bank's webserver. |
| 77 |
Since this connection is encrypted, the use of a VPN only offers redundancy |
| 78 |
and could be considered superfluous. |
| 79 |
|
| 80 |
Regarding the security of it all (VPN, SSH, or HTTPS) it is now common |
| 81 |
knowledge that NSA has cracked, compromised and pre-computed[1] a lot of the |
| 82 |
secure keys being used by many network security appliances, if the vendors |
| 83 |
hadn't already offered these to the NSA in the first place[2]. If you are |
| 84 |
using software configured to only use strong ciphers, then you are probably |
| 85 |
quite secure for a little while longer.[3] |
| 86 |
|
| 87 |
YMMV. :-) |
| 88 |
|
| 89 |
|
| 90 |
REFERENCES: |
| 91 |
=========== |
| 92 |
[1] https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html |
| 93 |
[2] http://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 |
| 94 |
[3] https://bettercrypto.org/static/applied-crypto-hardening.pdf |
| 95 |
|
| 96 |
-- |
| 97 |
Regards, |
| 98 |
Mick |
Archives