Microsoft—and Ars—advise split-tunnel VPNs to minimize coronavirus woes:
When SARS hit its peak, remote work wasn't yet practical enough for quarantine efforts to affect office networks much. With the coronavirus, though, most of the toolset needed to work from home or the road is available—but many office networks are having difficulty handling the sudden increase in scale.
There's not much you can do about a WAN (Wide Area Network) connection that isn't robust enough to handle traffic from remote workers to internal infrastructure such as file servers and application servers. But much of a typical company's infrastructure isn't onsite at all anymore—it's increasingly likely to be hosted in the cloud, behind its own set of protective firewalls and filters.
Traditionally, most office VPNs are set up to route not just office traffic, but all traffic—including Internet-destined traffic—across the user's VPN tunnel. For most sites, that means paying a double penalty—or worse—for all Internet traffic from VPN-connected users. Each HTTPS request and its subsequent response must hit both the upload and download side of the office's WAN twice. This is bad enough with a symmetric WAN—e.g., a 500Mbps fiber link—but it's beyond punishing for an asymmetric WAN, such as a 100Mbps-down/10Mbps-up coaxial link.
[...] We generally advise routing only office-bound traffic over an office VPN and allowing all Internet traffic to proceed directly to its destination—this can easily reduce VPN traffic by an order of magnitude or more, and the router-level filtering and monitoring in most offices isn't particularly useful in the first place.
Doing things this way is simple—the network administrator disables global routing in their VPN configurations and only routes the office's subnet(s) across the tunnel. The details vary by VPN implementation, but in Cisco VPN clients, for example, it's a simple checkbox to be ticked on or off.
[...] IPv6, unfortunately, gets its usual "eh, maybe later" treatment—Microsoft advises that IPv6 endpoints can simply be ignored and notes that its services "will currently operate successfully on IPv4 only, but not the other way around."
(Score: 3, Interesting) by DannyB on Friday March 13 2020, @08:01PM (4 children)
My employer's Microsoft VPN client did this.
They switched to a different one that does not route internet traffic through the corporate network only to come out on the internet somewhere far away; and the response packets following a similar path back.
I'm not sure why anyone would have thought this was a good idea.
The Centauri traded Earth jump gate technology in exchange for our superior hair mousse formulas.
(Score: 4, Informative) by vux984 on Friday March 13 2020, @10:09PM (3 children)
"I'm not sure why anyone would have thought this was a good idea."
If you are traveling in china for example, this is precisely the configuration you want.
There are plenty of other scenarios where there is IP whitelisting/filtering in place from business bank account access, to cloud backup admin, ssh connections, etc. Certain academic resources are configured such that you license a site, and connections from that site are permitted to view journals and articles etc. For a lot these types of things you need your internet traffic funnelled through the office network.
There's lot of cases where this isn't necessary too. As always, you need the right tool for the job at hand. As an aside, this is part of why openvpn is big and complicated; and wireguard (while great at what it does) is not really a replacement for it.
(Score: 2) by DannyB on Monday March 16 2020, @02:04PM (2 children)
That is a good point. There needs to be a switch to turn this on or off depending on whether you trust your internet connection or not.
The Centauri traded Earth jump gate technology in exchange for our superior hair mousse formulas.
(Score: 2) by vux984 on Monday March 16 2020, @06:27PM (1 child)
Most comprehensive VPN solutions have 'that switch' somewhere. Including the built-in Microsoft VPN; where the switch is called "Use default gateway on remote network"; (which overrides your normal default gateway, routing all traffic the remote gateway.)
(Score: 2) by DannyB on Monday March 16 2020, @06:42PM
So far, I have not used our older Microsoft VPN client, nor the new one. But that's good to know.
The Centauri traded Earth jump gate technology in exchange for our superior hair mousse formulas.
(Score: 1, Informative) by Anonymous Coward on Friday March 13 2020, @08:15PM (10 children)
If you have access to internal systems, you won’t have unfettered internet access. Not on my watch.
Is Microsoft seriously suggesting opening paths for data exfiltration?
Typical though, they are incompetent to the extreme.
(Score: 5, Insightful) by DannyB on Friday March 13 2020, @08:25PM (6 children)
Can a VPN really ever stop exfiltration?
If you were working from home or other remote location, with a company VPN, it doesn't seem that hard to exfiltrate data.
Maybe its better to limit access to what data and how much data people have access to. Have signed employment agreements that cover things like this. And finally, trust your people, try to have people who you think you can trust, and don't treat them poorly. What a concept.
The Centauri traded Earth jump gate technology in exchange for our superior hair mousse formulas.
(Score: 1, Interesting) by Anonymous Coward on Friday March 13 2020, @08:55PM (4 children)
You can't stop exfiltration from you internal network. It just takes one hole and the real determined will find them. That is why access control and auditing is so important. At work, I have access to air gapped physically secured systems in isolated rooms with biometric and four factor authentication and more. And yet we still had an incident where someone managed to get some of the data out of there and on their unsecured general purpose system.
(Score: 2) by DannyB on Friday March 13 2020, @09:05PM (3 children)
Did they do this intentionally or unintentionally?
The greater the effort they had to go to, the more likely it was intentional. (or so it would seem)
The Centauri traded Earth jump gate technology in exchange for our superior hair mousse formulas.
(Score: 2, Insightful) by Anonymous Coward on Friday March 13 2020, @09:18PM (1 child)
Actually, this happens quite often when the systems in question are so heavily locked down that the users have trouble doing their jobs properly. It usually starts with someone physically taking something out accidentally (due to portability, maintenance, etc), and then realising their life is now much less painful.
(Score: 5, Funny) by sjames on Friday March 13 2020, @09:43PM
It's a classic security problem. At a building I used to work in, they had reasonable enough security practices and people tended to comply. Then they decided to tighten things down for "reasons". Suddenly you couldn't even go out for a coffee in the Starbucks on an outside corner of the same business without the full sign out then sign back in, etc.
A week later I saw that a side door was propped open with a bucket and the door sensor was bypassed. There was a quick tacit agreement among the people who worked there that we don't talk about the side door with the bucket.
(Score: 0) by Anonymous Coward on Friday March 13 2020, @11:52PM
It was totally intentional. As the other AC suggested, it was to make his job easier by not having to go to the special area to work with the data in question. The funny thing is that not only do I have no idea how he did it, I don't even know how it was possible. The front USB and CD drive wires are physically disconnected, and the access in the back requires a key that no one who works with the data has.
I should note though, working with the data in the room isn't that much harder than working with it on your other computers. You just tell it what you want to do and then leave to wait for the hours it takes to crunch. I go in there maybe one day every other week on average, but can go months at a time once I get results. Everything else can be done from your desk already. If you are spending more than 15 minutes in there at a time, you are probably doing something wrong.
(Score: 0) by Anonymous Coward on Friday March 13 2020, @10:02PM
Where I work:
You get two computers, one for internal business stuff and one for random internet crap. The one for internal business stuff is prohibited from having wifi (we remove hardware from laptops) and is prohibited from being plugged into an insecure network. It only gets plugged into the VPN hardware device. That device does only the VPN encryption and routing. The computer used for internal business stuff is unable to reach anything outside the corporate network. We don't need NAT or purchased IP addresses for the corporate network because there is no possible IP address conflict if you never connect to the outside world. We can assign addresses as we please.
With that, there won't be an accident or a problem involving a hacked client that copies data.
All the equipment is to be kept in a private location with locks and alarms.
The human is background checked. There is only so much you can do there, with the possibility of bribes and violence, but the background check goes back 10 years interviewing all acquaintances. Foreign relationships are prohibited, credit problems are prohibited, drug issues are prohibited, etc.
(Score: 4, Insightful) by DannyB on Friday March 13 2020, @09:07PM
For most professionals or "knowledge workers" internet access is a useful business tool in the 21st century. Just as the telephone and fax machine were in the 20th century.
The Centauri traded Earth jump gate technology in exchange for our superior hair mousse formulas.
(Score: 2, Informative) by Anonymous Coward on Friday March 13 2020, @09:13PM
This is a false sense of security.
Anyone that wants to exfiltrate data from a remotely usable system just connects to the VPN and downloads the data they want, then disconnects and sends it elsewhere via the internet. You can try to stop that too by locking it down to only allow the VPN or office physical network. But, you'd still need to make sure the user can't use their browser to connect to a foreign site where they might be able to upload an encrypted zip file of the data.
And that is assuming you've gone to all the trouble of blocking all internet traffic including SSH, SSL, any other way through your super deep inspection packet filter. It also assumes you've locked down all USB and physical network ports in the user's machine, made it impossible for the user to boot the machine from a non-secured OS or execute/install unauthorised software. And that is just the obvious stuff.
Anything less, and you may as well have a split VPN, and more generally just avoid pissing off the employees with over-the-top security protocols.
(Score: 2) by sjames on Friday March 13 2020, @09:34PM
You can have that if you want, but you'll be needing to cough up for all the extra bandwidth. That might be a really big cough. Unless each employee gets their own employer provided laptop to be used exclusively for work, you'll either be handling a lot of Netflix traffic as well or find people unwilling to log in to work after hours.
Requirements, this is Budget. Budget...Requitrements. Now shake hands and come out fighting!
(Score: 3, Interesting) by Ken_g6 on Friday March 13 2020, @09:57PM
My setup doesn't even require the network administrator to know anything about it.
I do basically all my work online over a VPN. When I started I rapidly figured out I didn't want all traffic going through my company's VPN. (What would they think of a site called Soylent News?) I also didn't like provisions saying the company could inspect the machine I use for the VPN. (Not that they ever have.)
First, I set up a virtual machine with VirtualBox, which is the only machine I have installed the VPN software on. Initially I used that VM just like a normal work computer.
Then I noticed that the VM, while on VPN, could still access my local network. This makes some sense, as it allows for things like transferring files and using a local printer. So I set up a proxy (TinyProxy) on my VM, and FoxyProxy [getfoxyproxy.org] in my main computer's browser, so selected HTTP/S traffic, and only that traffic, goes through the VM to the VPN.
Later my company set up a DMZ [wikipedia.org] to the servers I was working with, and required ssh tunneling through it to reach them. I just set up another layer of SSH tunneling to allow my main computer to reach them.
Now I hardly use the VM at all except to start the VPN.
(Score: 2) by dltaylor on Friday March 13 2020, @10:21PM
I can set up pf and/or iptables rules, do some testing and be fairly sure that nothing on the WAN side can access the VPN side.
Can you be sure that your employee laptop is not passing packets between the WAN and VPN?
(Score: 2) by darkfeline on Saturday March 14 2020, @02:22AM (1 child)
If you're using a VPN, that means there's a trusted network you need to get on to have access to important things. That also means that anyone who gets on your trusted network has access to important things. Say, a small device dropped in a corner, under a desk, in the trash, connected wirelessly, or plugged into an Ethernet port somewhere.
Trusted networks are a liability.
https://www.usenix.org/publications/login/dec14/ward [usenix.org]
If you have zero-trust networks, you don't need VPNs. Problem solved.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Saturday March 14 2020, @08:37AM
Or you could take the third option and using it as defense-in-depth measure in a proper setup.