dslreports logo
site
spacer

spacer
 
    «« DSL Hurdles Share Tool
spc

spacer




how-to block ads



A VPN will set up a "tunnel" via one or more "ports" (often via the TCP protocol). The exact ports used will vary with the type of VPN, and sometimes also with the advanced setup options for the VPN. However, the VPN "tunnel" itself is just standard IP (internet) traffic, albeit strongly encrypted traffic. As such, any firewall that is configured to block any of the "ports" needed for that VPN, will also block the VPN "tunnel" (preventing you from using the VPN).

The "flip side" of this, is that a VPN "tunnel" really does "tunnel" internet traffic for all "ports" via the VPN connection. This means that if the VPN itself isn't blocked (see above), than traffic on ports that are supposedly blocked for some reason (be that because of some firewall, or some restriction of your ISP), can still go out via the (unblocked) VPN tunnel! This can be both a useful "feature" (allowing you to do things with the VPN that you couldn't do directly via the internet), or a security weakness that is all too easy to overlook.

For example, I telecommute a couple of days a week. At my office, the company firewall blocks all attempts to access (from the internet) files on our Windows servers (for obvious security reasons). However, the VPN ports are not blocked at the firewall (so that remote users can connect to the VPN). When I setup a VPN connection to the office, it "tunnels" all traffic (for the IP numbers at our office) via the VPN. This means that when I have a VPN connection setup, I am essentially bypassing all restrictions of the office firewall! This is "a good thing", because I can pretty much do anything (including accessing files) that other machines on the office LAN can do (even when the firewall supposedly blocks that traffic from the internet). However, it also means that my home office machine better be secured "better than most", if I don't want to be "the weak link" that lets some jerk use my VPN connection to make it much easier to "hack" the machines "at the office"!

Expand got feedback?

by DracoFelis See Profile edited by KeysCapt See Profile
last modified: 2003-07-19 00:30:49