1 |
On Saturday 11 Jun 2016 21:04:27 Dale wrote: |
2 |
> Dutch Ingraham wrote: |
3 |
> > On Sat, Jun 11, 2016 at 05:57:11PM -0500, Dale wrote: |
4 |
> >> been wondering about. It mentioned using a VPN so that the NSA, my ISP |
5 |
> >> and others couldn't "see" what was going on. So, my first question, |
6 |
> >> does that work and does it require the site on the other end to have it |
7 |
> >> set up as well? Bonus question, is it easy to use on any site if it |
8 |
> >> doesn't require the other end to use it? I'm thinking of using this for |
9 |
> >> my banking/financial sites as well if it is a good idea. |
10 |
> > |
11 |
> > I tried a VPN for banking; as many different source IPs were showing as |
12 |
> > attempting to log into my online account, the bank thought I was being |
13 |
> > hacked and locked my accounts. Took many trips to the bank to create |
14 |
> > all new accounts, etc. |
15 |
> > |
16 |
> > As to VPNs in general, see: |
17 |
> > |
18 |
> > http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-> > the-state-of-vpns-in-2016/ |
19 |
> I sort of have a vague idea of what a VPN is but maybe some reading will |
20 |
> do me some good. Heading over to this link. |
21 |
> |
22 |
> Thanks. |
23 |
> |
24 |
> Dale |
25 |
> |
26 |
> :-) :-) |
27 |
|
28 |
A VPN connection is nothing more than an encrypted network connection between |
29 |
two end points (local & remote peers). You set up an encrypted tunnel and |
30 |
your application data travels through it. Both peers' network configurations |
31 |
have to be set up for this purpose. The VPN tunnel could be set up with |
32 |
another peer for the purpose of communicating securely with that peer alone, |
33 |
or to another device the remote peer will forward your packets to. In the |
34 |
latter case the VPN peer is acting as a VPN gateway to whatever lies beyond. |
35 |
Site to Site VPN connections behave like this. |
36 |
|
37 |
There are a number of different types of VPN, each employing different methods |
38 |
to exchange encryption keys between the peers securely and then to set up a |
39 |
secure network tunnel using these keys. L2TP+IPSec, OpenSSL, IKEv1/2+IPSec, |
40 |
etc. are all different VPN types. |
41 |
|
42 |
VPNs can be deployed for different use cases: |
43 |
|
44 |
Typically you set up a VPN to achieve site-to-site secure network |
45 |
communications - e.g. between your own LAN and your brother's, between a |
46 |
company's head office and a satellite office, etc. You would normally set |
47 |
this up between two edge routers which have a compatible VPN capability. Your |
48 |
Linksys may have VPN in its firmware, or if you flush it with dd- |
49 |
wrt/openwrt/tomato/etc. you will have VPN capability at your end at least. |
50 |
|
51 |
VPNs are also used to achieve PC-to-site secure communications, e.g. between a |
52 |
employee's laptop, iPhone, EPOS, et al., and the company's LAN. This is also |
53 |
known as a roadwarrior configuration and you could use it if you had a laptop |
54 |
and wanted to e.g. access some files on your home server. |
55 |
|
56 |
If you combine VPN tunnelling with packet forwarding then you could use the |
57 |
remote VPN gateway or another forwarding server in the LAN behind it, as a |
58 |
proxy server for your general Internet connections. Your connection to the |
59 |
VPN gateway will be encrypted and therefore your connection to the VPN gateway |
60 |
will be secure, even if you happen to be using an unsecured WiFi connection to |
61 |
the Internet at your local Starbux. The connection forwarded from the proxy |
62 |
server to the Internet may or may not be secure, depending on the application |
63 |
level encryption (e.g. HTTPS) that you are using at the time. This is one of |
64 |
the purposes Public VPN services cater for, allowing you to connect to the |
65 |
Internet securely. For a fee they allow you to connect to their VPN gateway |
66 |
and then forward your packets from there to any site on the Internet your |
67 |
application wants to connect to. The other purpose of Public VPNs is that |
68 |
their use achieves anonymity of your real IP address, as long as they have |
69 |
configured their forwarding correctly and the application running on your PC |
70 |
is not leaking your real IP address. This VPN-forwarding set up can be used |
71 |
to by-pass geo-blocking and is often used for this purpose too. |
72 |
|
73 |
Regarding your stated use case, it is highly unlikely your bank is offering a |
74 |
public VPN connection for its customers, for the purpose of online banking. |
75 |
What banks offer to customers is Layer 5 secure connectivity via HTTPS, which |
76 |
is configured/managed via the customer's browser and the bank's webserver. |
77 |
Since this connection is encrypted, the use of a VPN only offers redundancy |
78 |
and could be considered superfluous. |
79 |
|
80 |
Regarding the security of it all (VPN, SSH, or HTTPS) it is now common |
81 |
knowledge that NSA has cracked, compromised and pre-computed[1] a lot of the |
82 |
secure keys being used by many network security appliances, if the vendors |
83 |
hadn't already offered these to the NSA in the first place[2]. If you are |
84 |
using software configured to only use strong ciphers, then you are probably |
85 |
quite secure for a little while longer.[3] |
86 |
|
87 |
YMMV. :-) |
88 |
|
89 |
|
90 |
REFERENCES: |
91 |
=========== |
92 |
[1] https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html |
93 |
[2] http://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 |
94 |
[3] https://bettercrypto.org/static/applied-crypto-hardening.pdf |
95 |
|
96 |
-- |
97 |
Regards, |
98 |
Mick |