The Internet is Infected! The Ultimate Cyber Security Guide for Small Business and Home Computing!

If you find the information on this blog valuable you will find my upcoming three volume cyber security books infinitely more so! Visit my website at http://thatcybersecurityguy.com. My 8 years of research and 900 written pages are about much more than just cyber security as my writing presents valuable small business and general home computer knowledge. Visit me on Twitter @ThatCyberSecGuy. See the ACLU video "Invasion of the Data Snatchers" at YouTube to understand why you need my books and PDF files on the infected Internet.


Saturday, February 4, 2017

What is a Windows 10 Pro Virtual Private Network (VPN) is; our concerns and why we need it

OK, so you follow my blog and purchased a shiny new Windows 10 Pro laptop with all the specs I recommended. You are ready to go on the road and you need to keep it safe using hotspots everywhere. You can buy my SSH chapter PDF on how to set up and use a SSH server but that requires a computer running Linux behind your home firewall. The great thing with that setup is you can take that very old computer that can’t run Windows 10 Pro and load something like lubuntu (See:  http://lubuntu.net). For example, my SSH server is a very old Dell with 1 GB of RAM and a 80 GB IDE drive. (See:  http://thatcybersecurityguy.ipage.com/index.php?option=com_sppagebuilder&view=page&id=20)

Back in 2015 I did a series of blog entries on how to set up a VPN in Windows 7. Hopefully, you took advantage of Microsoft's FREE upgrade to Windows 10 (had to be done before July 29, 2016), and all your computers are running Windows 10 Pro now. I could leave up my old Windows 7 VPN blog entries but I grow tired of searching the Internet for technical solutions and find I'm on a years old web page, irrelevant solution wasting my time so I won't do that to you. Therefore, as my Windows 10 Pro VPN solution gets posted I will be deleting my old Windows 7 VPN solution. Besides, most people still running Windows 7 who did not take advantage of the FREE Windows 10 upgrade will probably not be interested in setting up a SOHO VPN.

If you search the Internet you will see LOT of VPN services that you can pay for but that is not necessary. Windows 10 Pro comes with everything you need to set up a FREE VPN into your SB or Home local network. However, getting everything working is not all the straight forward. In my book we went into detail about how to set up a Linux Secure Shell (SSH) server and configure your router to forward an SSH port to it. We then used that SSH server to securely use WiFi hotspots and transfer files back and forth with our partners. To set all of this up used things such as address reservations, an old computer collecting dust, QoS prioritization and much more. However, suppose you just want a simple Virtual Private Network connection to your local network behind your firewall. A VPN can be viewed as a network of computers that can be securely connected to your Small Business or Home Computing (SB/HC) network. There are many advantages to setting up your own VPN, not the least of which is encrypted, somewhat secure, access to your SB/HC network at anytime from anywhere. You do not want to have to purchase expensive services or additional hardware to be able to use hotspots securely.

Before we get into what is a Windows 10 Pro VPN let's discuss our concerns with using a Windows VPN. If you are not sure what a VPN is or when you connect to your home VPN server everything is crawling, I highly encourage you to watch Eli the Computer Guy’s video on what a VPN is and how it works. You may discover that doing your own VPN is not going to work for a verity of reasons which he describes very well. (See:  https://www.youtube.com/watch?v=q4P4BjjXghQ)


WARNING


As seen many times in my book!
In the documents leaked by Edward Snowden, the NSA and GHCQ have gone through extraordinary lengths to break VPN encryption. We also have to be suspicious of using commercial encryption software as the documents show that the NSA has convinced commercial companies to compromise their own software.  Privacy advocates recommend using only open source software such as OpenVPN for secure communication.  Written in numerous articles, there is strong evidence that the NSA has installed a cryptographic back door in all versions of Windows since Windows 98. If those back doors have been leaked or discovered by third parties, your VPN connection could be easily compromised by other entities.

We have to be cautious when using a VPN as Microsoft itself has issued a warning against using PPTP in conjunction with the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).  (See:  http://technet.microsoft.com/en-us/security/advisory/2743314) This will also expose a port on the Windows OS called PPTP thus exposing the VPN server directly to the Internet, so the use a strong password and use of a non-standard port are wise precautions.


Even though VPN has been targeted by governments it is still an effective means of protecting your remote devices and remaining private online. As such, it remains an operational way to protect yourself from most surveillance by crackers and thieves. Windows has the built-in ability to function as a VPN server. To make things easy Windows also comes with a VPN client that supports the two most common VPN protocols, Point-to-Point Tunneling Protocol (PPTP) and L2TP/IPsec.

While we on that topic let’s briefly discuss these two VPN protocols. PPTP is a OSI Layer 2 protocol that uses port 1723. Encapsulates and transports multiprotocol data traffic over IP networks. It uses a set of communication rules, created by Microsoft that allows you to extend their own corporate network through private "tunnels" over the public Internet. In effect, this allows you to use a wide area network (WAN aka the Internet) as a single, large local area network (LAN). PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server. You can use Point-to-Point PPP to transmit TCP/IP network communications over point-to-point connections. PPP acts as a carrier for PPTP, which is used to establish a VPN connection.

Layer Two Tunneling Protocol (L2TP) is a secure enhancement of PPTP and can also be used to create a VPN. L2TP is a combination of PPTP and Cisco's Layer 2 Forwarding (L2F) tunneling protocols. L2TP uses User Datagram Protocol (UDP) for sending packets as well as for maintaining the connection. Internet Protocol Security (IPSec) is used in conjunction with L2TP for encryption of the data. A SOHO router may not have support built in for L2TP but you should use it if it does. If you are a small business you will want to spend the extra money for a hardware firewall router that supports L2TP. For example, by default my home 802.11ac router only supports VPN-PPTP. To use L2TP I would need to set up a Custom Service on UDP port 1701. You may also have to open UDP port 500 to allow Internet Key Exchange (IKE) and UDP 5500 to allow IPSec Network Address Translation. Because L2TP does not provide confidentiality or strong authentication by itself, IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. IPSec needs IKE to negotiate the security association. (See:  https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol)

Many of us who have worked in the corporate or government worlds have followed a simple set of directions provided by our IT department to establish an outgoing VPN connection to connect to our office network. Your connection to that office network is called incoming, which is when a computer on the network allows secure VPN connections. If you work for an entity that provides this service this is an acceptable solution to protect your Internet devices. However, these networks do monitor all of your Internet activity so you should not conduct personal activity and they may block websites that you need to visit as well. Using a corporate or government network to conduct your personal business is a very good way to get yourself fired! My mission at ThatCyberSecurityGuy, LLC is that you, the Small Business Owner and Home Computer User (SBO/HCU) use the Internet more securely and privately. I am also reaching out to every corporate or government worker who is also a HCU! We are going to take on the tasks of setting up our router and both the outgoing and incoming VPN connections so that we can use our SBO/HCU local network while traveling thus protecting ourselves from corporate or government spying. This is the bare minimum that you as a SBO/HCU should do to protect your use of hotspots and keep your job!

No comments:

Post a Comment

Please leave a comment so I can improve my writing and content!