Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
General VPN/Security question.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Fri Aug 01, 2014 6:40 am    Post subject: General VPN/Security question. Reply with quote

I more often than not must use public WiFi spots primarily at hotels. Some are open networks and some are password protected but of course as a general practice I use a VPN.

At the moment I use 3 different services. I noticed that with one of the services, SecurityKISS, all of my ports are "stealth" which is good but on another service, VPNBook, ports 80 HTTP and 443 HTTPS are "Open". The remaining ports are a mix of "Closed" and "Stealth". I have researched VPNBook and the general consensus is that although it is free it is not a honeypot.

I guess my question is what should I be looking for in terms of port behavior when choosing a VPN service paid or otherwise? If port 80 and 443 are open isn't that insecure???

The connection is definitely being encrypted TLS according to the transmission feedback in console.

Also, if I connect to the hotel WiFi minus a VPN all ports are either closed or stealth. I assume this is pretty secure except that data traveling over the network is not encrypted?

Thanks.
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 373
Location: Canada

PostPosted: Fri Aug 01, 2014 1:37 pm    Post subject: Reply with quote

Quote:
I guess my question is what should I be looking for in terms of port behavior when choosing a VPN


I can't answer your exact questions, but as to choosing the VPN service, due to worries about 3rd parties etc, I use my home router as the other end of my VPN when travelling. I put an open VPN server on my lynksys E300 running tomato shibby firmware.
I run openvpn client on my laptop while travelling. If I leave my home desktop on I even have access to its file system over the vpn from my laptop.

The tomato shibby also utilizes a DDNS service so that I can connect via a domain name rather than an IP in case my home IP changes.

I have use this system for many years and am very happy with it.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Fri Aug 01, 2014 10:20 pm    Post subject: Reply with quote

Budoka, though I am familiar with the stealth description, I am unclear on who or what is telling you the status of these ports or on which IP address you are detecting them.

It is perfectly safe for a port to be open, if the program listening on that port cannot be exploited. Making a port stealth may slightly impede some network scanning software, causing it to spend more time to determine that you are not offering any interesting services.
Back to top
View user's profile Send private message
dataking
Apprentice
Apprentice


Joined: 20 Apr 2005
Posts: 251

PostPosted: Fri Aug 01, 2014 11:22 pm    Post subject: Reply with quote

Hu wrote:
Budoka, ... I am unclear on who or what is telling you the status of these ports or on which IP address you are detecting them.

+1
_________________
-= the D@7@k|n& =-
Back to top
View user's profile Send private message
dataking
Apprentice
Apprentice


Joined: 20 Apr 2005
Posts: 251

PostPosted: Fri Aug 01, 2014 11:37 pm    Post subject: Reply with quote

OK, after a bit of googling, I think I have a better understanding of what's going on (although, it would still be nice to know how and from where you're getting the port status).

So my googling revealed that SecurityKISS and VPNBook are VPN services. (Maybe that was obvious to others. /shrug) So, Budoka, what you're effectively doing just anonymizing your internet activity.

VPNBook says on their website that there are profiles for TCP/80, TCP/443 and UDP/53,UDP25000. So the ports you are seeing open, are probably different options for your VPN. I wasn't able to look at SecurityKISS, because I'm at work and they block that kind of stuff. (SecurityKISS's website also doesn't run HTTPS, which I though was somewhat ironic.)

So all that said, you really only need to be concerned about is open ports on the system you are using to browse. If that's the case, then it's probably related to how the VPN is constructed.[/list]
_________________
-= the D@7@k|n& =-
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Sun Aug 03, 2014 3:29 am    Post subject: Reply with quote

My apologies everyone. I should have explained how I check the ports. I always use Gibbons Research's SHield's Up for this. Have done so for years and highly recommend it. It is quite a nifty tool.

https://www.grc.com/x/ne.dll?bh0bkyd2

I guess I am just the nervous sort. I would think having all ports closed or stealthed would be the best option so was worried when I saw 80/443 open on VPNBook.
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Sun Aug 03, 2014 3:30 am    Post subject: Reply with quote

nlsa8z6zoz7lyih3ap wrote:
Quote:
I guess my question is what should I be looking for in terms of port behavior when choosing a VPN


I can't answer your exact questions, but as to choosing the VPN service, due to worries about 3rd parties etc, I use my home router as the other end of my VPN when travelling. I put an open VPN server on my lynksys E300 running tomato shibby firmware.
I run openvpn client on my laptop while travelling. If I leave my home desktop on I even have access to its file system over the vpn from my laptop.

The tomato shibby also utilizes a DDNS service so that I can connect via a domain name rather than an IP in case my home IP changes.

I have use this system for many years and am very happy with it.


I like this idea very much and will look at doing it myself.
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Sun Aug 03, 2014 3:32 am    Post subject: Reply with quote

dataking wrote:
OK, after a bit of googling, I think I have a better understanding of what's going on (although, it would still be nice to know how and from where you're getting the port status).

So my googling revealed that SecurityKISS and VPNBook are VPN services. (Maybe that was obvious to others. /shrug) So, Budoka, what you're effectively doing just anonymizing your internet activity.

VPNBook says on their website that there are profiles for TCP/80, TCP/443 and UDP/53,UDP25000. So the ports you are seeing open, are probably different options for your VPN. I wasn't able to look at SecurityKISS, because I'm at work and they block that kind of stuff. (SecurityKISS's website also doesn't run HTTPS, which I though was somewhat ironic.)

So all that said, you really only need to be concerned about is open ports on the system you are using to browse. If that's the case, then it's probably related to how the VPN is constructed.[/list]


So then do you think I would be fine just going through the hotel network as it is without a VPN?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Sun Aug 03, 2014 7:57 pm    Post subject: Reply with quote

Budoka wrote:
So then do you think I would be fine just going through the hotel network as it is without a VPN?
I would not send unencrypted traffic over a hotel network if I could avoid it. If the hotel network is via wired Ethernet, you could hope that they isolate guests from each other, but I would not count on it. If you know in advance that you are using their network only for protocols with strong encryption, such as ssh or a well configured https client, skipping the VPN would be fine. If you might send unencrypted traffic, I would establish a VPN to a trustworthy peer first.
Back to top
View user's profile Send private message
dataking
Apprentice
Apprentice


Joined: 20 Apr 2005
Posts: 251

PostPosted: Mon Aug 04, 2014 7:38 pm    Post subject: Reply with quote

Pretty much what Hu said.

Hotel networks (wired or wireless) are notoriously insecure. Using a VPN from a VPN provider is fine. VPN'ing to your home network is arguably better.

Just be aware of what you're actually doing. Using a VPN to home or service only encrypts the traffic to the endpoint. You activity can still be monitored/intercepted after that endpoint (be it your home or a service's internet presence).
_________________
-= the D@7@k|n& =-
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Tue Aug 05, 2014 1:15 am    Post subject: Reply with quote

dataking wrote:
Pretty much what Hu said.

Hotel networks (wired or wireless) are notoriously insecure. Using a VPN from a VPN provider is fine. VPN'ing to your home network is arguably better.

Just be aware of what you're actually doing. Using a VPN to home or service only encrypts the traffic to the endpoint. You activity can still be monitored/intercepted after that endpoint (be it your home or a service's internet presence).


Thanks. I understand.

So a VPN is good on a public network because it encrypts the traffic. But what I am still fuzzy about is if I have open ports ie 80/443 on a VPN doesn't that leave me open to attack vs a VPN on which all ports are closes or stealthed?
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3376

PostPosted: Tue Aug 05, 2014 12:35 pm    Post subject: Reply with quote

dataking wrote:

Just be aware of what you're actually doing. Using a VPN to home or service only encrypts the traffic to the endpoint. You activity can still be monitored/intercepted after that endpoint (be it your home or a service's internet presence).


At this point you're one step shy of advocating using TOR from the hotel instead of a VPN. Then again, the Russians have a bounty out for someone who can crack TOR, and others have been assaulting its exit nodes. (I don't know why the Russian bounty is only $10k, and who would sell such a crack for so little.) If anyone is that well funded and wants your information, they'll just do it the easy way and break your legs.

You know, you run reasonable safety, and try to take comfort in being a small fish. I have an OpenVPN endpoint at home and use that from hotels, to get to my own email services. I generally don't do business at hotels, only a bit of random surfing, and any business is over SSL.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Wed Aug 06, 2014 1:24 am    Post subject: Reply with quote

I read dataking's comment as a warning that the VPN is not total isolation. If you set up a VPN to an endpoint you do not trust to maintain the confidentiality of your communications, then the communications are not confidential. For example, avoid opening a VPN connection to your employer if you plan to browse content that would get you in trouble with IT or HR; avoid opening a VPN connection to a jurisdiction where your planned activities are illegal; etc.

Budoka: I have not seen anything yet that tells me what is listening on those ports, so it is unclear if there is a problem. I suspect that the scan is reporting some property of the VPN endpoint, not a property of your personal machine running the VPN. The only way it would reflect your machine is if your VPN provider had arranged to forward traffic received at the apparent IP back over the VPN to your real system. The only reason to do this would be to support you running servers, which I doubt the VPN provider would encourage at all, and strongly doubt they would configure to be enabled by default. If you are still concerned, then please post the details from the scanner tool. We need to know not that the ports are open, but why they are open.
Back to top
View user's profile Send private message
dataking
Apprentice
Apprentice


Joined: 20 Apr 2005
Posts: 251

PostPosted: Wed Aug 06, 2014 5:29 pm    Post subject: Reply with quote

Hu wrote:
I read dataking's comment as a warning that the VPN is not total isolation. If you set up a VPN to an endpoint you do not trust to maintain the confidentiality of your communications, then the communications are not confidential. For example, avoid opening a VPN connection to your employer if you plan to browse content that would get you in trouble with IT or HR; avoid opening a VPN connection to a jurisdiction where your planned activities are illegal; etc.

This is completely true. Think of it as a tunnel (there's a reason why they call it that). You're at one end of the tunnel. Your Internet activity happens at the other end of the tunnel. That other end of the tunnel is not encrypted, unless you happen to be using an encrypted protocol: HTTPS, SSH, etc. In effect, you are trusting the security of the "other end" of the tunnel.
Hu wrote:

Budoka: I have not seen anything yet that tells me what is listening on those ports, so it is unclear if there is a problem. I suspect that the scan is reporting some property of the VPN endpoint, not a property of your personal machine running the VPN. The only way it would reflect your machine is if your VPN provider had arranged to forward traffic received at the apparent IP back over the VPN to your real system. The only reason to do this would be to support you running servers, which I doubt the VPN provider would encourage at all, and strongly doubt they would configure to be enabled by default. If you are still concerned, then please post the details from the scanner tool. We need to know not that the ports are open, but why they are open.

This is also probably true. I'm familiar with grc.com and the Shields UP! application. Chances are it's testing the (far) endpoint of your VPN. Since VPNBook(?) specifically mentions that it has "profiles" for TCP/80 and TCP/443 (and specific UDP ports), those ports being open isn't a complete surprise.
_________________
-= the D@7@k|n& =-
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum