I very often need to remotely access the information system at my place of work. Ever since that system has been available, I have accessed it via a web link, usually from my home computer. Works like a charm, for me at least.
Understandably, security concerns are paramount in my organization and as of next month, ALL access to its systems must be through either a VPN or VDI (virtual desktop infrastructure).
My question is whether using either a VPN or VDI will in any way make my home machine less private. Am I at any risk by using them?
I am not worried about any data I exchange with my organization’s systems, I’ll assume the smart people at work have got that covered. I am wondering whether use of their VPN or VDI might somehow potentially expose or compromise my computer and what it contains and has access to.
I’m not sure I understand this – are you saying that you’re not worried about exposing the non-work-related contents of your computer to the smart people at work, or only that you’re not concerned about the security of exchanging your work-related data, because you assume they have that covered?
Your biggest risk may be using a VPN link to establish a direct network connection between your equipment and that of your employer, likely penetrating any personal firewall you may have. The smart people at work may be your biggest threat. Even perfectly secure VPN software is a risk if you use it to open an unguarded connection to a network with hostile actors.
If you have a full VPN, it’s pretty much the same a plugging your computer into the office network directly. Same warning applies as about using a coffee shop WiFi, except the hackers have to be already on the Office network. (Those clever IT people)
If you have shared folders or drives, or if your home PC’s password is easy to guess or non-existent, then your data is wide open to anyone clever enough to find it. If the shares are writeable, then someone can place malware on those shares. If your Windows or MS Office (or any software) is not updated with the latest bug fixes, you may be vulnerable to clever hackers finding other means to get in. (Which is why Microsoft generally made Windows 10 auto-updates hard to turn off.)
More likely it goes the other way. Your employer doesn’t want your possibly infected PC messing up the whole network; which is why a remote desktop session - sending only monitor and keyboard back and forth - is preferable to full network access by VPN.
And, yes, I assume that any work-related stuff gets encrypted by the organization. I’m actually impressed how confident the programmers must have been that their design/system was secure.
On the other hand, that doesn’t protect me from them. So my worry was that by using the VPN I’d be opening my machine to the people at my work. But, then again, as you said, they probably only care about me not contaminating their system with my infections (which is ironic because I’m a doc and my organization is a hospital).
You’ve correctly identified your biggest risk. We could talk about how vulnerable your VPN software, Citrix, or other VDI implementations are to attack by outsiders, but as a practical matter, they’re pretty safe to use. While your employer has likely taken steps to protect their network from risks from your PC, it’s much less likely that they’ve taken any steps to protect your PC from snooping/meddling by anyone at work.
With VDI, the biggest risk is from the VDI software itself “snooping” on your PC. Some of them can be configured to take an inventory of what’s installed on your PC and what patches have been applied, and refuse to connect if something unapproved or specifically disapproved is found. However, the intent isn’t really to snoop, and the connection software is almost certainly provided by a disinterested third-party. Nonetheless, you’re running someone else’s software on your device – how much you trust them is always a legitimate question.
With VPN, the risks are higher. You’re establishing a direct network connection between your PC and its peer network. Depending on the particular implementation (software + configuration + other factors), you could be exposing all of the devices on your home network to potential attack. The risk to you for any specific setup is probably best evaluated using network probing tools like nmap/Zenmap from within the peer network if that’s possible for you to do. In other words, to look for vectors of attack just like a potential attacker would.
Also keep in mind that it’s very common once a VPN connection is established from a PC for that to become the ONLY interface over which non-local network traffic is allowed from that PC, and that, as a result, all of your Internet traffic may start passing through the peer network while the link is up and be subject to snooping. At a previous place of employment of mine, a network administrator got into hot water because she was in the habit of leaving her VPN link up at home, and her husband was in the habit of browsing porn sites while she was at work. The company’s monitoring software picked up his activity, and she got asked why she was looking at so much porn from work.
Why does such a thing happen? I assume (hope) that the VPN must be left open for it occur and assume, likewise, that by remembering to close it, it can’t happen. The likelihood of me forgetting? Certain.
It really depends on the goal of the VPN. If the VPN’s purpose is to keep you safe while connected to a non-trusted network, then you want all of your traffic to travel over the VPN.
I’m not an expert in this, so perhaps somebody else will have a better explanation. There are several ways a VPN can route traffic:
[ol]
[li]All traffic goes over the VPN. This means your computer won’t be able to use your local network printer.[/li][li]All Internet bound traffic goes over the VPN, but traffic to your local network goes to your local network. Then you can print, access your local server, and such.[/li][li]Only traffic bound for the VPN’s endpoint (your company) goes over the VPN. All other traffic uses your normal non-VPN internet connection.[/li][/ol]
I use different VPNs that work in those different modes, and it really depends on what the organization setting up the VPN wants to accomplish. Probably also mixed with a bit of how much they’ve bothered to change the default settings for whatever VPN software they’re using.
I think the biggest risk is that you’re installing software on your computer provided by a third party, and the software could act in ways you don’t like. Basically though, if you trust your company to respect your privacy in general, then it is probably fine. If you work for a place that installs key loggers on employee’s work computers and is otherwise very controlling and authoritarian, then maybe you don’t want to install software they give you on your home computer. If that’s the case, then you could setup a virtual machine, and use that to connect to the VPN and access company resources.
If you have open shares setup on your computer, then those shares might become available on your corporate network. Depending on how the VPN is configured, that might mean they’re also available to other VPN users. So for example, if you have a share called “Music” that doesn’t need a password, so you can easily stream your music library to other devices at your house, you might be making that share also available over the VPN. If you have shares that require authentication, nobody at your company may be able to access them, but the share name of “Sexy time pictures” might still be visible.
If you are sharing files, then there should be ways to specify that they’re only shared to your local network.
The problem with #3 is simple - if you establish a remote control session before connecting to the VPN (or a hacker with a trojan on your system does) then they are connected to your computer and have control of it. now your computer connects to the Office network by VPN. Probably you’ve stored the password to get it going, so the hacker does not even need your intervention. Now anyone from Romania or Nigeria can browse the entire office network and try to hack into it too, relayed by your PC.
As a result, generally VPNS are #1, “all or nothing”. If you connect via VPN, you terminate all traffic except via the office network. Browsing the internet has to go through the VPN then the office’s firewall and filters, which generally are more advanced than home routers when it comes to detecting and filtering computer exploits.
it also means that the computer will ignore incoming packets other than VPN traffic, so it is harder exploit the PC. The problem with #2 VPN option is that it simply requires that the outside world hacker exploit a different PC on your home network, which then could be used to relay to access your PC while it is connected to the VPN. This is a much less likely scenario, but odds are if one PC is infected, several are eventually. But… if you have a network attached printer at home, you won’t be able to use it with #3, so maybe #2 is good is some circumstances.
I assume this was revived by accident or SPAM, but to address the other half of the question…
The remote session is best, since basically it makes your computer the keyboard and screen for a virtual PC session in the office server. Many remote desktop sessions also allow the user to transfer files to and from their PC and the virtual PC at work (and its network) but this is a different specific request to transfer files, not simple network file access like a file share. Generally your PC’s contents are not accessible to the rest of the office network. (Of course, with the proviso all depends on the type of remote control software.) Unless a hacker’s virus on your PC is clever enough to imitate you transferring the virus file to the virtual PC and then attempting to execute it, the office is immune from your issues (and vice versa). Also, most virtual desktops are sufficiently locked down the user has no authority to run such high-level programs. Quite often the office network also has geographic and other limitations in place, so a hacker would have to be sophisticated to take over your PC, connect to the office, and also know your office credentials. (My wife’s remote access uses two-party authentication using a text message to her phone) Similarly, your remote control probably cannot as easily be transferred to some computer in Romania and still work. Remote desktop also removes some issues around ensuring the office software is installed on the home PC - particularly specialized ERP programs and database access.
This is an interesting discussion revival. One of the products I support for my employer is a flexible remote access solution, that can be a web-based portal for internal websites and VDI, or can also be a VPN (either full-tunnel, split-tunnel or application-specific tunnel). It also manages device compliance (OS, software, antivirus etc).
At the start of the COVID-19 pandemic, we had to react to companies around the world suddenly shifting to large-scale remote working. Companies had to scale from a few hundreds or thousands of remote workers to tens of thousands. We also had to do it ourselves. And our company was not alone in this process. We were swamped with support calls, and were busy giving free licenses to customers to allow them to pivot in the space of a few weeks.
Many companies did not have the required infrastructure to fully support that number of workers on a full-tunnel VPN - their internet connections were not sufficient, and their VPN devices were not scaled to the new requirements. Staff did not have company devices, so they shifted to BYOD (bring your own device), or rapidly spun up VDI solutions on hypervisors. We helped build scalable access solutions in the cloud and on prem, and recommended that customers shift to split-tunnel VPNs, so that only company internal traffic crossed the VPN, and bulk internet traffic did not. This was the only way they could manage the required load as they shifted to remote working, VDI and BYOD.
My employer has not shifted stance on remote working - flexible working is their way forward. Productivity did not suffer - in fact, stats went up. But they did disable the split-tunnel VPN a few months ago, mostly for compliance reasons. They have obviously upgraded ISP links and can support a higher level of traffic, with the current staff levels working from home. Of course, many other companies are rolling back remote working, but I think they will find it difficult to do so.