VPNs: in practice, how much info can the admins truly have access to?

[Bricker]

Reply:

And I just meant “keylogger” as a generic term for client-side monitoring suite, real-time or not. I was more worried that they would be able to change CA lists and other software without access to the client computer, and apparently group policy enables at least the former. Scary.

You can absolutely distribute certs via a GPO, change CA lists, change trusted sites/domains, and a whole bunch of other stuff.

[echoreply]

Bricker:

Your VPN admin alone can’t do this – he would need some access to your machine, yes? Specifically he’d need to be able to pretend to be a CA, and he can’t do that without adding his Fake CA cert to your certificate store.

Or am I missing a trick?

Getting access to your machine might not be too difficult. “Just run vpn-wow.exe to setup your new VPN WOW! account, you’ll have to click on ‘OK’ to allow administrator privileges for the installer.”

[Reply]

Is it normal for a computer joining a VPN over the Internet to also be required to join the company domain?

If not, would the GPO method still work?

[si_blakely]

CurtC:

Are you sure you’re answering the question she was asking? I got the impression that she’s connecting through her home ISP, for example, to her company VPN, and she is concerned whether her ISP’s admin people can see her traffic that she sends to/from the company network.

I think the question was “If I am using a VPN to access my company network and doing other things as well, how much can the company Network Admin see?”

The answer lies somewhere between very little and absolutely everything:

If the tunnel is split, then only company traffic is visible to the company admin - your access to “The Straight Dope” goes directly via the Internet, not the VPN.

If the tunnel is not split, then all traffic goes via the VPN, and the company proxy. They can see all http traffic. They may be able to see https, if they have the appropriate certificates. If the access device is a company device and is in the company domain, then the certs can be installed via GPO. If it is not a company device, then they may mandate a certificate, or they may not. If they have not, then https traffic probably cannot be monitored.

Reply:

Is it normal for a computer joining a VPN over the Internet to also be required to join the company domain?

If it is a company device or accessing company network resources, then yes (otherwise, how do you authenticate access to those resources).

Reply:

If not, would the GPO method still work?

No.

We should clarify that by VPN I mean a network-layer tunnel that uses a virtual network adapter on the client, through which some (or all) network traffic is routed. These are generally used from a secured company device using VPN client software, and such devices will conform to company policy, enforcement, use standards and monitoring. As a network admin, I don’t allow random computers into my physical network - I’ll make even less of an exception for random computers from the across the internet. Many networks now use policy enforcement as well, to ensure VPN-attached computers have the correct AV signatures and patch levels before full network access is granted.
Some people use VPN to refer to secure extranet interfaces (usually SSL/HTTPS, or secure internal Remote Desktop sessions via Citrix/Terminal Server) to internal company resources. I don’t consider these true VPNs. However, these are more likely to be used from a non-company device, using a standard web browser. These sorts of VPN can be used without policy enforcement.

Another question to ask is whether you actually check certificates before installing them, or just blithely assume that the server you are connecting to has updated their certs - certainly I would get suspicious if just as I attached to a Wifi cafe network I got prompted to install new certs, especially for my own server, when I know if I have installed new certs.

Si