VPNs can certainly complicate matters. They allow traffic from a
user's computer to be packaged up ("encapsulated"), optionally
encrypted, sent across the Internet to another location, decrypted and
unencapsulated, and forwarded without any sign of the network hops that
the encapsulated traffic traversed.
On first reading this, I immediately thought of a switch included with
most VPN server implementations: allow or disallow "split tunneling".
With split tunneling allowed, the user's traffic gets encapsulated via
the VPN only for the address range of the network hosting the VPN -- all
other traffic gets delivered by the local gateway, unencapsulated. If
split tunneling is not allowed, all traffic from the user gets
encapsulated and snt "through the tunnel" to the VPN host; if its
destination was actually on the Internet, it gets snt to the gateway of
the VPN host rather than the one local to the user.
Disallowing split tunneling is recommended; it has the effect of
puting remote users of secure networks behind the network's firewall and
any other access filters, and, in case he user's computer is infected
with a botnet or other malware, ensures that that malware cannot
simultaneously be exploited from the Internet and (via the VPN) have
access to the secure network....
I don't know quite how Windows decides whether a network connection
can reach the Internet. It wouldn't surprise me if this setting could
confuse it. BUT it's a setting on the VPN host -- it shouldn't know or
care whether the user's computer is on a hotel network or their own home
network. So there must be something else going on.
The only other thing I can think of is to wonder if NAT (Network
Address Translation)is being used. Perhaps if the remote secure
network's gateway is doing NAT, that might make a difference -- but
again, it shouldn't matter where the client computer is connecting
from...
(I occasionally receive advertisements from stand-alone VPN services,
suggesting that they can connect me to the Internet "securely. I can
imagine two scenarios:
1. If you are using a network where your traffic might be monitored or
filtered, using a VPN might allow you to bypass the monitors. Whether
this is a good thing or not could depend on how you're trying to use the
Internet...
I picture taking all the traffic I don't want "shady characters" to
see, and handing it all over to ONE shady character who promises to keep
it safe from "all those others". One whom I have, by engaging there
service, tipped off that I may, indeed, have something in my traffic
that I'd like to hide....)
David Gillett
CISSP CCNP
-------- Original Message --------
Subject: [PCBUILD] VPN
From: Peter Shkabara <[log in to unmask]>
Date: Wed, January 28, 2015 2:00 pm
To: [log in to unmask]
I taught Cisco CCNA classes, but I don't completely understand some
issues
with VPN. My daughter has an employer issued laptop to do work from
remote
locations. She uses VPN to gain access to the employer secure network.
Here is the problem. When she uses VPN from a hotel, for example, she
has
not apparent problems. At home, however, she connects through VPN ok,
BUT
her laptop keeps indicating that she has NO Internet connection - the
Internet access does work; it is only the status indicator that seems in
error. She is running Windows 7, and the home router is a D-Link DIR-655
with latest firmware. Did I overlook some settings in the router? I was
hoping someone on the list might have worked out a similar situation. A
Google search did not result in any helpful suggestions that I have not
already tried.
PCSOFT's List Owners:
Bob Wright<[log in to unmask]>
Mark Rode<[log in to unmask]>
|