Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

VPN for security


  • Please log in to reply
13 replies to this topic

#1 7SLEVIN

7SLEVIN

    CC Newcomer

  • Member
  • PipPip
  • 23 posts

Posted 06 April 2011 - 10:45 PM

Hi

I read an interview of an Anonymous member. He said government datastorages and alike will only catch those whos not careful. Not those protected by proxys and VPN-software.

What kind of VPN-software is he talking about?

This is not black hat related, see privacy.
  • 0

#2 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 07 April 2011 - 03:07 PM

I am unsure of what you mean by government datastorages, although utilizing a secured tunnel between two or more points will secure you from prying eyes, and any normal VPN server or client will work.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#3 7SLEVIN

7SLEVIN

    CC Newcomer

  • Member
  • PipPip
  • 23 posts

Posted 08 April 2011 - 01:56 AM

I live in Norway and here its a big political sircus if the government should store data trafick. You can compare it to the fictional "grid" in the US.

So my question really, is how to stay hidden from the grid?
  • 0

#4 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 08 April 2011 - 08:36 AM

Yes you would need to use some sort of proxy or VPN, a proxy would take traffic from another location and send it to you (online proxies are not very secure, you should utilize a service or form your own), and/or a VPN (provided you use IPSec) can provide end-to-end encrypted connections, so they have nothing valid to store.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#5 7SLEVIN

7SLEVIN

    CC Newcomer

  • Member
  • PipPip
  • 23 posts

Posted 11 April 2011 - 03:35 AM

That part i understand, but if we start getting technical im still confused.
Am i correct if I could set up a VPN on my server and connect my workstation to it, there by masquerading my traffic to the server? From what point would the traffic be encrypted? If its only encrypted from the server and to my workstation, i guess it doesnt matter if my name is on the server, so to speak?

I know, alot of questionmarks. Sorry.

Edited by 7SLEVIN, 11 April 2011 - 04:33 AM.

  • 0

#6 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 11 April 2011 - 03:52 PM

If you use theInternet Protocol Security (IPsec) feature with your VPN protocol you will be encrypting the traffic to and from with TLS/SSL (Transport layer security, and Secure socket layer respectively), although you are right that your name will be stored in plain-text in the server. This can be alleviated by using an encrypted volume, if your server host supports it, therefor your web server will pull information from an encrypted source, authenticate with client, encrypt, and only then send it to you in a secure fashion that cannot be peaked at. You have no way of controlling what is going on at the host, so this is not a completely secure method, although it is nearly the best you can do other than not storing the data at all.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#7 7SLEVIN

7SLEVIN

    CC Newcomer

  • Member
  • PipPip
  • 23 posts

Posted 12 April 2011 - 04:08 AM

I see! Thanks alot.

Do you know of any VPN protocols that supports IPsec that you would recomend?
  • 0

#8 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 12 April 2011 - 11:36 AM

You will need to install an IPsec implementation on your server operating system, in this specific case I would recommend the Openswan server over the older FreeS/WAN or Strongswan implementations due to your needs. IPsec is just a single layer of IP security, essentially encrypting IP packets over a tunnel.

You will then need to install an L2TP server, this will be your second layer of which your client will connect to finally through the IPsec layer, which will provide your VPN functionality. The setup of an L2TP server may vary under different situations and systems, and so I will link to a fairly generic installation that will be based on Debian Sarge:
http://www.natecarls...swan-and-l2tpd/
http://www.natecarls...pd/#configl2tpd

Client-side, if you are using Windows then there may be some options to import the IPsec certificates (also in the link above which you have generated), there are also some clients for XP/Win2K if you are not using Windows 7.

This option was really built for businesses requiring encrypted tunnels between systems networks, there may be issues with your VPS/dedicated server that you cannot account (i.e. gateway does not allow this), it should be possible though with the more common systems providers I had been with.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#9 7SLEVIN

7SLEVIN

    CC Newcomer

  • Member
  • PipPip
  • 23 posts

Posted 13 April 2011 - 06:55 AM

Wow, you really know your stuff! :) I will definitely be looking into implement some kind of VPN solution for my LAN.

I am still wondering about the issue with the servers IP practicly being in my name. You then have the solution of renting a encrypted volume, like you mentioned. I cant seem to find anyone who offers this?
While surfing around i found site site called StrongVPN.com. With having said that im not considering buying anything, im just wondering what you think of this? In my experience are these commercial hosting sites diciteful. Is this service worth the money?
  • 0

#10 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 13 April 2011 - 11:32 AM

Ah, I was a little unclear of what exactly your machines were and where you were connecting to.

Assuming nothing of the third party service, your normal L2TP over IPsec will prevent the attacking party from knowing what is contained in the inbound and outbound traffic. They of course can have access to your host and/or client machine in one way or another -- This is why I suggested encrypted volumes. Windows based solutions and Linux provide many methods to encrypt a volume, with a high security encryption (i.e. AES is a popular option, better are out there.) With such an option, the attacking party can not know straight away what is on the disk even if they had access to it without proper authentication.

You can of course use this third party VPN service, this can act as a proxy in that it will hide your destination. If this third party service is out of country, then it may take an indefinite period for your government agency or attacker to retrieve information from them. This is a huge grey area, you will be relying on third party services which may not be reliable for security, and you have no way of knowing if they are doing what they are describing, or even more.

In my opinion, the encrypted VPN service over your own L2TP over IPsec (possible) would be a little paranoid, and there is not much of a need for a normal business to use such services. If your data was of such high value, the attacker would have better success retaining you rather than your data, to retrieve your data.

IANAL (I am not a lawyer), these services or protocols may be restricted in your country, there is no reason why they should or should not be, so I would look in to that at least briefly.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#11 7SLEVIN

7SLEVIN

    CC Newcomer

  • Member
  • PipPip
  • 23 posts

Posted 14 April 2011 - 02:09 AM

I also think its a bit overkill for a everyday use, but it would still be fun. I bet i could learn alot from the experience.
IANAL either, but might be possible. It wouldnt suprise me at least...

Is there a simpler solution that doesnt go the same lengths for security? I would like a solution that wouldnt reveal my traffic/identity on the first look. There isnt a problem that its not too difficult to crack, but you atleast had to know what you were doing.
Is proxies maybe a way to go?

What i meant with the machine is that i am thinking of setting up an old stationary HP computer with some crude OS to work as a personal fileserver. The plan was then to use this as a VPN host or whatever. Then the question is the computer is so old that it would slow down the traffic flow. Like a "bottleneck" if you know the expression.
  • 0

#12 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 14 April 2011 - 05:29 PM

Ah, If you are just using it as a remote file server (You do not need your operating system to connect to it as a physical network, only access it through the network) then you can use the SSH protocol rather than L2TP over IPsec. I am unsure of how to set this up for a Windows based system, but you have mentioned you wish to install a crude OS on a machine that is older, I would suggest installing a Linux based server operating system such as Debian, or Ubuntu Server which should run fine under 256MBs of RAM.

The steps would simply be to install openssh-server, and the sshd daemon will be running continuously to accept inbound secured connections, with only a few more steps you can enable public key cryptography (i.e. 2048 bit RSA or DSA public/private key pairs) and then you've got a foolproof security, meaning even if the attacker was sitting beside you and had the password they could not authenticate without possession of the keys.

You can then on any platform use an SFTP client to access the server, this will use SSH rather than FTP and is also recommended over the standard FTP protocol on servers, you can have root access unless you wish to restrict what folder you wish to access with chroot or similar methods.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.





Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download