Virtual Private Network

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Virtual Private Networks (VPNs) have given computers the ability to join a remote network as though they were physically attached to that network.

Context

Ever since Enterprise employees started to travel with laptop computers the Enterprise has deployed Virtual Private Networks so the remote employees could function as though they were at their own desk in the home office. VPNs allow devices that aren’t physically on a network to securely access the devices that are on the network.

Problems

  • Each device on the network has equal access to the network, even if that device has been compromised. (Since this page is about commercial networks, we do not address partitioned networks such as those found in the Military.)
  • Note that a Zero Trust Architecture requires additional Authentication for each use of the network above and beyond that supplied by the network itself.
  • VPNs have been used to anonymize the user's IP address, but this can be nullified if option 121 is enabled. This can be avoided if Android is used or a user controlled DHCP is created.[1]

Solutions

Apple

  • Does all traffic pass through VPN?
    This depends on your settings. The most common setup is “Host to Network“, in which case only traffic to the specified remote network(s) will go through the VPN tunnel. With a “Host to Everywhere” setup, all traffic – except traffic to the local network(s) – goes through the VPN.
  • What exactly does "Send all traffic" option in VPN settings do?
    Send all traffic means that your iPhone will redirect every single ip-based information request via the VPN tunnel through your VPN server, to the internet. If you disable Send All Traffic, your iphone will only use your VPN connection if the private ip range cannot be found with other connections (such as; wifi, cellular etc..) so, another trick you can utilize on an iPhone is to configure it with a configuration profile using the apple device configurator from the mac app store, or use profile manager on your mac os x server (10.7 or hirgher). With a profile you can specify vpn on demand. This means:
whenever you visit a predefined webpage, or you use a predefined ip address, the vpn connection will automaticly be established and the traffic for that specific webpage or ip address wlil automaticly be forwarded through that vpn connection.

Android

  • VPNs on android developer site include some legacy implementations. This page assumes Android 7 or later.
  • Always-on VPN Android can start a VPN service when the device boots and keep it running while the device is on. While Android maintains the service lifecycle, it’s your VPN service that’s responsible for the VPN-gateway connection. Always-on VPN can also block connections that don’t use the VPN.
  • Blocked connections A person using the device (or an IT admin) can force all traffic to use the VPN. The system blocks any network traffic that doesn’t use the VPN. People using the device can find the Block connections without VPN switch in the VPN options panel in Settings. Caution: When non-VPN traffic is blocked, apps that aren’t in an allowed list or in a disallowed list lose their network connection. Consider warning people when making allowed or disallowed lists.

Pixel VPN

  • Allows Google to act as the home site for a VPN on a Pixel which is supplied by them.
  • The existing android VPN does allow a list of sites you can get to access the internet w/o going thru the VPN. It should be presumed that this feature will still be a part of the pixel offering. The question there is "can YOU set the list of sites?" For an enterprise VPN that is not normally allowed.

References

  1. Dan Goodin Novel attack against virtually all VPN apps neuters their entire purpose 2024-05-06 arsTechnica https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/