VPN vs Internet Browsing
I have a question regarding VPN. In our office we connect to the Internet through a wireless access point which is configured to an ISP's router.
This ISP router is then configured with a VPN switch, with the help of which we access few server applications hosted in our head office in another city.
We are not doing any direct VPN configurations in our office PCs to connect to these remote head office application servers.
We just configure wifi connection (access point key) in our PC and everything starts to work.
Now my question is when we open any webpage lets say 'www.cnn.com' in our office PC, is there any way our head office would know that this particular page was opened by one of their regional office PCs in any other city?
We don't have any 'eaves dropping' software installed on our PCs here. But I am not sure how this VPN configuration works.
Is it possible that it could be sending information to the head office VPN server about our web browsing information?
I am not sure about the company policy but I do open few non work related websites e.g. gmail, facebook etc during my working hours (total of 30-40min per day). So I want to be sure that I don't get caught for anythign wrong.
Any information in this regard shall be highlly appreciated.
White Plains, NY
It sounds like you have a constant VPN (endpoint to endpoint)with the head office and all traffic moving outside your location is going through the VPN. This would mean that they have access to that traffic so they could see what websites an employee had accessed. Email, etc. could be the same and this could allow them to blacklist certain sites, scan for malware, etc. from the head office for your office connections.
the access point, VPN switch and ISP router are all in our regional office. Would it be wrong assumption on my side if i say only the traffic which is directed for the application servers (hosted in the Head office) goes over the VPN switch (regional office) and then ISP router (regional office) and then goes to the head office (VPN server).
And all other web traffic (www.cnn.com) goes over the ISP router after skipping VPN switch (because server IP is not head office application server) but the cnn server.
And hence head office would not know if regional office accessed any www.cnn.com. It would only know when the request is sent to the application server hosted in the head office.
Is this above assumption wrong?
The vnets are configurable and only by asking the person that configured them or by accessing and reviewing the configuration that is in effect can you know. It could be set to route 0.0.0.0 then it would be all traffic, or it could be set more restrictively.
Scott Brown Consulting
|reply to johnEthen |
Did they make you sign an AUP policy as part of your HR package? Did you sign one recently?
If so, I'd dig it up and reread it again to be safe. If not, hit up the HR or IT department
for a copy.
Without knowing the nuts and bolts of the actual setup, it's all speculation at this point
a) how the VPN is configured and operating, and b) what relation (if any) it has to your
web browsing in the office.
That being said, I'd take the worst case scenario and assume ALL traffic is being watched
and punishment fitting the transgression will be enacted when something screwy is discovered.
Thanks for you answer, but there is nothing in the contract with respect to AUP policy or that sort.
|reply to johnEthen |
As others have said, it will depend on how the VPN is setup. And that is probably controlled by the head office. If it is setup to force all connections to go through the VPN, then they potentially have the ability to monitor all of your traffic.
When connected to www.cnn.com, go to a command prompt and try:
That will give information on how you are connected to cnn (look for the port 80 line in the output). If the IP addresses in the left column are all VPN addresses, then your connection is going through the VPN. If the left column address for your cnn connection uses a local IP (could be something like 192.168.1.x), then that connection is not going through the VPN.
If you are not sure how to interpret the netstat output, post it here - preferably in a code block. If you are shy about posting IP information in a public forum, the send me a PM with the details and I'll reply with how I read it.
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 9.0.1
|reply to johnEthen |
John, it sounds like you are assuming they don't monitor the traffic at all at your location. Even if your traffic doesn't go through the VPN to the head office, your local router could and probably very well is monitored too.
I manage quite a few networks, all of which use site-to-site VPN in some form or another. The VPN network's traffic get monitored just the same as the local networks traffic. Just walking you through - Why would I drive to a remote location to do work on all the routers, when I can remote in to all?
Someone for your office set that VPN up between your office and the remote and is maintaining those routers VPN and anything else associated with the routers even if you don't "see" them.
Anything and everything going through a company owned network/router is logged (no local "eaves dropping" software required). What they do with the logs (review them, store for later, ditch them, etc.) is unknown but it should be assumed it is reviewed and kept, and conduct yourself as such. Regardless if you signed anything about use, it's still all the company's property.
As just one example: Right now one client with multiple locations is using OpenDNS - which is configured into the routers via using the OpenDNS dns addresses. All the PCs point to their local gateway for DNS so it's transparent to them. I and the management at corporate can just pull up the account on OpenDNS on any browser and can review everyone's traffic for all the sites.
Recently I was asked to pull all the traffic on someone who was about to be, and was terminated. All that info was compiled into the report to backup the assertion that this person became "ineffective". No IT policy saying they couldn't surf the web, just that they should be working and that's proof enough they weren't. I personally would block these things, but this company preferred the "give them enough rope to hang themselves with" approach.
Good thread here:
»do company servers know where you've been?
your moderator at work|