Possible to spy/eavesdrop through VPN client software?

I’m not an IT guy, so bear with me on the terminology here.

My employer makes it possible for us to log into the company servers through a VPN in order to do our jobs from home or the road. To facilitate this, we install client software on our home computers, then point our web browser to the company’s webpage, click the appropriate link and log in. For what it’s worth, the software Citrix.

  1. Is it possible for the company to use this software to compromise the employee’s home computers? Can they, for instance, retrieve files from my computer (like my resume), or read my personal emails (stored on the local drive), or get my passwords, or view my internet usage (like questions I ask about them on a message board)?

  2. If this sort of thing is possible, is it legal? Is there some section in the EULA where I gave them the right to view everything on my home computer?

Technically, a VPN makes your network join the company network. As a local piece of software, it only makes your PC join the network.

Not familiar with the latest Citrix VPN, but off the top of my head: it basically creates a virtual “second network card” and says - any time you try to go to a company address use this 'network card" instead of your internet. (It then encrypts the network packets, and forwards them over the internet to the company’s VPN gateway).

So theoretically, the effect is the same as if you plugged your PC into the company network.

Can they do nasty things and read your stuff? Maybe. I would not be surprised if they could, it would be pretty trivial to add an FTP service or something into the programs you automatically load with this.

Would they? The fact that you suspect them speaks volumes. However, unauthorised access to computers is a crime. Just because an employer (or an obnoxious twit in the IT department) does it, rather than some teen hacker, does not make it right. If the district attorney wanted to make an example, I doubt some consent hidden in the fine print will get them off if employee after employee gets on the stand and says they were never told they were opening their computer or that they were consenting to have personal files searched. Same as a bank loan, it’s just as much how it was explained as what you signed.

So a company is probably not going to do something sneaky, because it may put them on the wrong end of a class-action suit as well as a felony charge. I say probably, because legality does not always stop some people or organizations. However, unless you are employees with critical proprietary secrets, why is it worth doing? If they want to be nosy, they can legally snoop your work email for hours of mind-numbing gossip.

Once you establish the VPN connection, your computer effectively becomes network-accessible to the VPN gateway device. So theoretically, someone with appropriate corporate-network access could try to guess one of your local machine passwords and gain access to your computer, hard drives, and other such things. Again theoretically, someone could bundle an application with the Citrix VPN client installation files that would allow administrative access to your local machine; this is how some viruses work. Or exploit a known vulnerability in whatever software you may have currently installed on your machine.

Is this likely? All I can say is that as a Sys. Admin., it is a violation of my company’s policy for me to do something like this to an employee’s machine. I could also read anybody’s work email, but I don’t because, again, it is a violation of company policy do to so without appropriate authorization from management. And so on.

Check your employee handbook and your company’s stated computing policy (if applicable). Consult a lawyer if you believe there are questionable policies in place.

Thanks, these are exactly the kind of explanations I was looking for. The computing policy seems to only cover equipment owned by the company, so I don’t think they’ve left themselves an out. there. There is a lot valuable proprietary information going back and forth, but it would be a long shot to claim that the entire contents of an employee’s personal hard drive are fair game (I hope).

Do you truly suspect that your employer would want to spy on your home computer? Or are you just normally a paranoid person? Or just curious for curiosity sake?

If the former…I would suggest looking for a new job.

In this instance, you are pretty safe - the Citrix client establishes an encrypted tunnel to the Corporate Citrix server, rather than a true VPN (with virtual IP addresses and routing tables as described above). This is a pretty loose use of the term VPN, and is more what I would call an extranet (externally accessable intranet) or SSL Tunnel. If you wanted to be really safe, I would consider setting up a virtual machine (using a free virtual machine server like VirtualBox or VMWare server) running XP that has the corporate client installed and nothing much else. Thus the Corporate system is completely isolated from your personal activities at all times.

In fact, if I was supplying a system like this (where a personal computer was used to access a Corporate System via the internet) I would do it by using a virtual machine image - safer and easier to manage all round.


Thatnks - I couldn’t remember the specifics of Citrix. I assume then, it creates a VPN into the server. This is as if the server also had an additional network card installed that pointed to the client’s machine?

In that case, someone on the server with the right authority MIGHT have the ability to snoop on the home PC. Citrix wouldn’t allow regular users to snoop through each others’ VPN, but I don’t know what ADMIN can do. Outside the server - well, the server probably does not have the routing configured to accept packets from just anywhere and pass them through to your PC, or vice versa, so access is impossible? Simply, your home machine can’t do anything on the corporate network, either, I assume. All it can do is connect to the Citrix server, where you run a terminal session (desktop) as if you were the server box.

So it’s one of the safer VPN’s.

Still, the virtual machine idea is the best if that’s your level of technical ability. Set up a virtual machine (like the Microsoft freebie, or the XP compatibility Mode in WIndows 7). Be sure it cannot access anything from the host machine disks except one shared folder with striclty business stuff on it.

And BTW - password protect your shares. This is especially important if you have a laptop and go to places like Starbucks. Everyone on their wireless is on the same network, so it’s not difficult for someone to find your PC, look at the disks, and upload/download stuff to it - if there’s no password protection. Even at home - if the neighbor cracks your wireless and your shares are not password protected, you’re wide open.

Citrix does not even create a virtual network card (which is why it is not really a VPN in my book). The web browser connects to the company Presentation Server (using https). Clicking a link on the web browser launches the local client, either using the pre-established https connection or establishing a new encrypted port to port connection (to traverse any NAT devices). This single port communication channel is all that is used by Citrix to transport Terminal sessions from the Citrix Application servers. Communication is point to point, and the only traffic between the client and server is via the Citrix Server and Client. This means that there is no other way the server can access the client for information.


So it’s basically an ICA connection, not VPN. Yeah, that’s pretty simple and secure for the home machine.

OTOH, when I was Citrix Admin way back when, you could see the remote printers connected; don’t recall if you could see the remote client disks connected; depends too on whether they carry through the local disks to the Citrix session. More secure for the company data not to… Also, I don’t remember the difference between the browser client and the full ICA client.

I think I’m still following you all, thanks. What is meant by ‘shares’ in this context? Shared folders? I don’t have any of those, unless Windows automatically makes some folders shared.

As to the paranoia question, without getting too far off topic, the company culture has been slowly sliding towards fear, suspicion, and erratic behavior. There have been a few incidents that strongly suggest attempt to monitor employees outside of the workplace. So a healthy level of paranoia is justified IMO.

Thanks for this reminder. On this laptop I don’t actually share any files, but I do have file sharing enabled so I can access files on my home network. But, of course, I do take this laptop to various unsecure networks, and windows XP by default will enable a “shared documents” folder. For kicks I just went to see if there was anything sitting there (since I normally don’t touch that folder), and lo and behold there were a few sketchy executables. AV software identified one as a worm, and deleted it safely, but apparently didn’t scan that deep in the past. That folder is no longer shared, and a full AV scan in progress…