Re: Security for database manager working from an apartment complex

What is it exactly you imagine is going to happen to you via your connection? Does you company have state secrets or nuclear launch codes on their server?

1. Generally VPN connections are very secure. That's why companies use them. As long as you have possession of your laptop, it's safe.

2. Virtually everyone these days connects to the internet through a router. Usually, cable or dsl providers have a modem built into a router (often with wireless built-in) and that's how we connect. The ISP assigns an IP address to your modem, your router allows you to share your internet connection among several devices. The router assigns IP addresses to the devices that connect to it. I don't know what you mean by "internally" assigned IP addresses - I don't know of any other way to get an IP address. You can manually assign static IP's, but it's still internal.

Most, if not all, modern routers have a built-in firewall that when properly configured, prevents the above-average attack and if you really lock it down tight, almost any attack.

3. Yes - narrow your router settings to the minimum connections. Disable any services you don't need. Use WPA2 password and MAC filter for your wifi. Don't open files sent to you from unsolicited sources and don't give out your passwords. Call your company and ask if they're OK with your set-up: It is after all, their worry - not yours.

Oh yeah, one more thing - stop listening to worry-wart fear mongers. You're not rich or famous enough (me neither ) to get targeted and the stuff your company has on their server is only of interest to them. Besides, you've already taken the greatest and best step toward internet safety: you switched to linux

Re: Security for database manager working from an apartment complex

oshunluvr nailed it but I'll expand a little -

1. When you're connected to your work network through the VPN all traffic between your laptop and the office is encrypted. That's what VPNs do - encrypt traffic between network endpoints.

2. Every internet connection goes through a router somewhere. Your home router *should* put you on a private network - if your IP address with the VPN not running starts with 10, 172.16 through 172.31 or 192.168 you're on a private network and machines behind the router can't be seen from the internet. If you're not on a private network you need to be on one

Note that with a VPN client connected to your office all your network traffic routes through the VPN and you're dependent on *their* network security.

3. I think the firewall feature set on most home routers is of questionable value since a private network can't be seen from the internet anyway. The best thing you can do is lock down any wireless access with WPA2 with a strong passphrase and if your router offers the option, increase the frequency with which the router and wireless devices exchange AES keys (most routers *don't* offer this function unless you use aftermarket router configurations like OpenWRT, DD-WRT or Tomato). Even with standard key rotation intervals there isn't enough computing horsepower available on the planet to crack WPA2 encryption before the key rotates. The most important thing is a strong (preferably random mixed case with special characters) passphrase at least seven characters long to protect against dictionary attacks.

JMO but I think MAC filtering and hiding a wireless SSID bring a false sense of security since anyone savvy enough to hack a wireless network can pull an SSID or MAC address out of the air - WPA2 with a strong passphrase solves this problem. They certainly won't hurt anything, though

Re: Security for database manager working from an apartment complex

My apartment is sort of unusual I believe in that they provide internet as if I was living in a dorm. I can access the wifi or use an ethernet connection, but I dont have physical access to the router which I assume all the apartments in my building are being run through, and I can't access the configuration page via my browser when I input the ip address for the router (im using the router address that my network configuration info is giving me).

My individual ip address and the ip address of the router both start 172.17 so this is a private network. When I use whatismyipaddress.com it shows me 107.0.114.21. Could you explain to me where they are getting this address from? Is it another router being used by comcast for our apartment complex's network?

I work for my a small company that is basically a family business, so I have a vested interest in the company doing well and consequently take more responsibility for my tasks, such as ensuring that this database is secure. I doubt we have any information particularly valuable or interesting to anyone on this database, my concern is more that if someone could view my connection they could take the login information I use to connect to the server or for logging into the database, and use that login information to access either the database or the server and mess with things. Paranoid I know, but people can suck sometimes.

When I say external ip address I mean (based on my limited and possibly incorrect understanding), the ip address for the modem (or router?) which someone from out on the internet would see and use to connect to me, and the internal one being a different ip address that the router assigns to my device. Maybe the person that told me I'd rather have my own unique, non routed ip address meant that I'd want that because then I could access my own router settings and increase my security, while as right now I'm dependent on the apartment managers to do so?

Is the wired ethernet connection more secure that using a wifi connection? Neither one right now requires me to use a password to get connected. To avoid using the open wifi network, I am using an Apple AirPort Express which takes our wired ethernet connection and gives my apartment its own private password protected wifi.

Re: Security for database manager working from an apartment complex

Depends on the VPN configuration and whether it allows split tunneling. The VPN server and client built into Windows default to disallowing split tunneling (which achieves the behavior you describe) and actually go out of their way to make it difficult to allow split tunneling. Other VPN products take a different approach; my employer uses Juniper SSL VPN purposefully configured with split tunneling so that they don't waste their own bandwidth backhauling Internet traffic.

It's a bit old, but see the paper Security considerations of NAT to learn how NAT, by itself, is rather weak. The extra state protection on home routers has its place -- following TCP sequence numbers, TCP handshakes, and UDP progress timers helps protect the computers behind the router.

Totally agree! Personal plug: I've written about this before. (Yes, once upon a time, I was a 'Softie.)

• Myth vs. Reality: Wireless SSIDs
• It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct

Re: Security for database manager working from an apartment complex

Routers have (at least) two network interfaces, and therefore (at least) two IP addresses. One interface is connected to the Internet and has a public address. The other interface is connected to the private network and has a private address. When you look at your computer's IP configuration and note the address of the default gateway, that's the address of the private side of the router.

I traced a route to 107.0.114.21. It's in an address block that's part of the addresses used by Comcast for business connections. So 107.0.114.21 is the address on the public interface of your building's router. Services on the Internet -- such as whatismyipaddress.com -- will only see the public address of your router, since (from the Internet's perspective) that's the origin of all traffic in your building.

If all your work-related traffic passes through the VPN, you needn't worry about eavesdropping or interception of that traffic. It's encrypted and therefore useless to someone who happens to capture the datagrams. Even the initial login is protected.

The building's router is already providing you with a private IP address in the 172.17 block. What risk remains comes from other users behind the same router. Without knowing more about how your building's internal network is constructed, I'd suspect that your building provides little to no traffic filtering between computers connected to the router. So, conceivably, someone else in the building could eavesdrop on your connection. Encrypted traffic will still be useless because your VPN connection is to your individual computer; however, non-encrypted traffic will be visible. If you wish to further protect your own computers from people in the building, you could install your own router. Actually, it appears you've already done this, based on your statement about using an AirPort Express.

Re: Security for database manager working from an apartment complex

Most of your assumptions are correct. The 107.0... address is the apartment routers IP, your computers IP is set by the apartments router.


IMO, you would be less secure with a direct connection. You can activate another firewall on your desktop if you want too.

Re: Security for database manager working from an apartment complex

Thanks that was helpful, the threat from people behind the same router was what I was concerned about, but it sounds like with the VPN and not using their unsecured wifi, i shouldnt worry.

Re: Security for database manager working from an apartment complex

Glad to be of help.

The wired network in your building still presents some risk from neighbors, since all wired connections are behind the building's router and (presumably) share the same private address space. Although addresses that start with 172.17 are technically considered "private," from your perspective you should consider your building as equivalent to the public Internet and design your security accordingly.

For greatest security, I'd recommend that you keep all your computers behind your AirPort Express. Of course, that will require you to use only wireless connections on all your computers, since the AirPort doesn't have its own local wired connections. If you want to use wired connections, you'll need to swap out your AirPort for a wireless router that also has some Ethernet ports.

If I were in your situation, here's how I'd construct my network:

Allow the router to self-configure to your building's Internet connection -- it will obtain a 172.17 address for its public side. Most home routers default to using a 192.168.0 subnet for the private side; this is perfectly fine. Don't forget to set a password on the router's administration interface! This should be covered in the router's documentation. Also, be sure to configure only WPA2 for your router's wireless security protocol, and use a pre-shared key (sometimes called a pass phrase) about 20 characters long. A simple sentence will do. There's no need for g00fy ch4r4c+er rep14cemen+s here: length is always better than complexity for improving the strength of secrets against brute force attacks. Connect your wireless devices only to your own router and not to the building's wireless.

This procedure allows you to create an isolated network for yourself yet make full use of your building's Internet connection. Treat your building as if it were part of the Internet, and isolate your network from the rest of it.

Re: Security for database manager working from an apartment complex

Really? IMO whoever's doing IT security for your employer needs to be fired, then

I didn't know anyone allowed split tunneling - it creates a bridge between trusted and untrusted networks for each VPN connection.

I missed the part about Comcast being provided by her apartment building - yeah, she needs her own router.

edit: You used to work for MS? Cool - I was an MVP for a few years (desktop systems).

cheers -

Re: Security for database manager working from an apartment complex

I used to think the same thing, but over time I've concluded differently.

Whenever an organization allows even a single computer to operate outside the confines of its corpnet, that computer poses potential risk when it returns. Imagine that you've attached your computer to the hotel LAN at, say, a computer security conference. Most unprotected machines would probably get infected with something. Modern malware is much stealthier than viruses of old, and usually does its work by initiating outbound connections to some evil remote-controller and then awaiting instructions, often over well-known ports and protocols. Such attacks routinely bypass corporate firewalls. So regardless of whether your VPN permits or prohibits split tunneling, you've already lost the battle: as soon as that device connects to the VPN, it becomes a tool of the attacker. Mobile devices that come and go from the corpnet must be strongly, resiliently configured.

There are also practical issues to consider when determining your VPN policy. My employer's user base can broadly be classified into two groups: those who use computers as tools for just getting work done, and hardcore developers/testers/geeks who are fully aware of risks and mitigations. Most users in the first group receive Windows machines that are domain joined, have user accounts that aren't admins, are locked down with group policy, are protected by anti-malware and a host firewall, and are kept up-to-date -- IOW, built the way they should be, so that they are useless to attackers. A few prefer Macs, and they're also managed. Users in the second group typically run Linux, along with some Macs, as you might imagine, and are generally trusted to keep their machines secure.

Less than half of our users work from a central office; the majority work from home or on customer sites. So split tunneling makes a lot of sense for us. We can still manage the machines remotely, and our users can connect to their home or their customers' networks and our network at the same time (often required for them to do their jobs). In the wider realm of worrying about which attack vectors really matter, split tunneling looks to be less of a problem than once thought.

Yup. I was in the telecommunications practice of Microsoft Consulting Services for three years, then part of the Trustworthy Computing Group for eight.