.

Personal VPN and Managing Server

<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Wed Apr 17, 2013 11:39 pm

Personal VPN and Managing Server

First off, thanks for everyone's advice and help on my earlier threads about security!

After some consideration, I am not so sure that I want to fork over $$$ and get involved with Wireless contracts with companies like Verizon, who I basically think suck...

So, I would like to know, "Is it possible to *ethically* and *securely* manage a Server over a Free Wi-Fi connection using JUST a Personal VPN like HideMyAss or Witopia?"

From what others have said in my earlier threads, and from just using common sense, it would seem that if I bought wireless service with someone like Verizon, and while on the road away from home, first connected to their private wireless network, and then secondly I used something like WiTopia, that that would be the most secure, right?

But if I was using Free Wi-Fi at Denny's or wherever, and I connected to the Internet over a Persoanl VPN like WiTopia, could I manage a website that I am building and feel secure enough that I could trust things like Server Log-in Credentials and Customer Data - non-financial - using such a setup?

I hope that is a possibility, because I am pretty turned off by the pushy and obnoxious Telecoms here in the U.S....


Tom
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Thu Apr 18, 2013 3:46 am

Re: Personal VPN and Managing Server

I was all ready to say "yes, but you run the risk of the vpn provider spying on you".....until I hit your statement on customer data.

Protection of customer data typically falls under the law in most countries, depending on the type of data we're talking about, and if you don't make a reasonable argument of why the method you're using to protect it is enough to satisfy those laws, you can find yourself in hot water.

I assume you don't have full control over the server you want to manage? If you do, I'd recommend OpenVPN with both password and certificate authentication, which should (if your own machine is fairly locked down) provide decent security. I'd still consider asking legal advice over the customer data transmission (and storage) aspect though.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Apr 18, 2013 9:31 am

Re: Personal VPN and Managing Server

What I would do, would be to set up OpenVPN like UKSecurityGuy said.

Much more convoluted, I would look in to getting all traffic not just web traffic going over the VPN connection. It would be rather embarrassing if the browser was safe, but everything else like Toad, SSH, FTP, etc went over the public internet (yes ssh is encrypted, but doesn't mean you want people to know what server you went to).

I would set things up with 2 boxes:
1: a Server running OpenVPN, with 2 ports. One with an outside connection to connect to, and one with a connection to where I need to work.

2: the servers I worked on, only accept administrative remote connections (FTP, SSH, RDP, etc) from the address of the OpenVPN box.
OSWP, Sec+
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Thu Apr 18, 2013 10:44 am

Re: Personal VPN and Managing Server

UKSecurityGuy wrote:I was all ready to say "yes, but you run the risk of the vpn provider spying on you".....until I hit your statement on customer data.

Protection of customer data typically falls under the law in most countries, depending on the type of data we're talking about, and if you don't make a reasonable argument of why the method you're using to protect it is enough to satisfy those laws, you can find yourself in hot water.


Let me play this out loud, and tell me if my thinking is right...

To protect information, I ultimately need Privacy and Security.

According to some, if I use a Personal VPN, then I have Privacy (and probably Security) between my laptop and - in this case - WiTopia's servers.  Then from there, since I would be connecting to my Server over HTTPS, I should have Privacy and Security from WiTopia's Servers to my Web Hosting company and my Server, right?


I assume you don't have full control over the server you want to manage?


I have a Virtual Private Server (VPS) with a major web hosting company in the U.S., so I have "Root" access.


If you do, I'd recommend OpenVPN with both password and certificate authentication, which should (if your own machine is fairly locked down) provide decent security. I'd still consider asking legal advice over the customer data transmission (and storage) aspect though.


What is the difference between OpenVPN and say WiTopia or Hide-My-Ass?


BTW, as far as "Customer Data".  It will always include basic things like you'd find on this forum (Username, Encrypted Password, Bio Info), and later on there will be an E-commerce site, but I will never store credit card info, and all purchases are one-off's, so it isn't like I'm storing billing info like Amazon.com would.

As long as I can't be hacked between my laptop and WiTopia, I think that should be my main emphasis.  But then I'm not a networking or security export like you guys?!


Tom
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Thu Apr 18, 2013 10:59 am

Re: Personal VPN and Managing Server

chrisj wrote:What I would do, would be to set up OpenVPN like UKSecurityGuy said.

Much more convoluted, I would look in to getting all traffic not just web traffic going over the VPN connection. It would be rather embarrassing if the browser was safe, but everything else like Toad, SSH, FTP, etc went over the public internet (yes ssh is encrypted, but doesn't mean you want people to know what server you went to).

I would set things up with 2 boxes:
1: a Server running OpenVPN, with 2 ports. One with an outside connection to connect to, and one with a connection to where I need to work.

2: the servers I worked on, only accept administrative remote connections (FTP, SSH, RDP, etc) from the address of the OpenVPN box.


I think you guys are missing some key things to my situation...

I am a computer consultant whose life was upended when the "Great Recession" hit.  The last 4 years have been hopping from short-term contract to short-term contract across the U.S. 

I lost my place when the market crashed, so I literally "live on the road" without a permanent residence.  :(

So, there is no way to have "servers at home" and a lot of infrastucture you guys assume.

When I am not working a day job or busy looking for a new day job, I am trying to start an online business with the hopes I can return to a more stable life.

So, there is Tom, Tom's Laptop, Tom's Virtual Private Server (VPS) with BigUSHostingCompany and lots of dangerous airspace in between!!

It sounds like many think that buying some "Personal VPN" like Hide My Ass or WiTopia (my choice) would be most of the battle.

I was considering getting a Wireless Plan with Verizon, but I am not sure I want to commit that much of my limited resources to a wirless contract, and I also found the application process to be really obnoxious and intrusive.  (And since I don't have a "permanent residence", I doubt they would sell me a plan anyways...)

Challenging, eh?!

As I see it, there is POSSIBLE and PROBABLE.

I want to be *ethical* in my security choices, but I also have to be realistic, even if I did have a house and a more stable situation.  (I can never be as secure as someone with a multi-million dollar security budget and 24/7 staff...  And yet, I bet you my currently hand-coded website is more secure than a lot of my multi-million dollar client's sites...)

So I am here because I DO care.

I am hoping there are some reasonable steps I can take to protect myself and my customer's data (Pretty much Usergroup type data), but not set the bar so high that things never happen.

Make sense?


Tom
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 18, 2013 11:22 am

Re: Personal VPN and Managing Server

Are you concerned about your hosting provider eavesdropping on your traffic (if so, you should probably change providers)?

Just use your VPS; that's what I do. If you're only interested in protecting web traffic, it's trivial to use SSH as a SOCKS proxy. I'm not sure about other browsers, but Firefox lets you force DNS queries through SOCKS as well, so the network operator for whatever network you're on can't even see the sites you're trying to access, let alone the actual network communications.

If you need something more robust, implement OpenVPN. You're overcomplicating this; you can setup what you need with no extra cost or equipment.
The day you stop learning is the day you start becoming obsolete.
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Fri Apr 19, 2013 6:25 am

Re: Personal VPN and Managing Server

Just to take this back to basis for my understanding.....


You're on the road all of the time, with your own laptop, but with no internet connectivity.

You use free wireless hostspots (McDonalds et al) to get internet connectivity, but you're concerned that providers/users of those wireless hotspots will manipulate/spy on your data.

You have access to a VPS, and you're unconcerned about the VPS provider spying/manipulating your data

You have a hosted Ecommerce system somewhere that you're building, and your traffic between your machine and this Ecommerce system is encrypted (HTTPS).


In which case the advice I would give is the same as ajohnson's....use the VPS. Setup OpenVPN (which is essentially the same as other VPN providers, except that it's free and you control all of the security around it) and Squid on the VPS. Have your browser proxy all of it's connections through Squid so that all of your web browsing is protected.


Essentially it's what I'm doing at the moment (although I have a stack more infrastructure running on the VPS) which protects my data when I'm anywhere away from home.


Plus it's a good learning experience!


If that's a bit too complicated for you, OpenSSH (as ajohnson said) works nearly as well.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Sat Apr 20, 2013 12:19 pm

Re: Personal VPN and Managing Server

UKSecurityGuy wrote:Just to take this back to basis for my understanding.....


You're on the road all of the time, with your own laptop, but with no internet connectivity.


Correct.


You use free wireless hostspots (McDonalds et al) to get internet connectivity, but you're concerned that providers/users of those wireless hotspots will manipulate/spy on your data.


Correct.


You have access to a VPS, and you're unconcerned about the VPS provider spying/manipulating your data


Hang on.

I have a Virtual Private Server with a major U.S. Hosting Company.

Actually, this point, like most, is probably above my head...

Since I am using a VPS on THEIR Servers, in THEIR Environment, in THEIR Data Centers, I guess, "Yes", I do trust them.

Should I not?

While I encrypt User Passwords, it is not like I have encrypted my entire database. 

And by definition, you couldn't encrypt your website's code.

(This is probably a whole other thread...)

What I do now - after I've let everyone jump on board my UNsecured MacBook, it to use either Plesk to access my Web Hosting Account with my Web Host, or for actually working with things like files, I use Secure FTP.

But back to what I believe to be your original question, yes I am assuming that I can trust my Hosting Company.  (If you couldn't, you'd be in trouble...)


You have a hosted Ecommerce system somewhere that you're building, and your traffic between your machine and this Ecommerce system is encrypted (HTTPS).


I have an SSL certificate, and if a user goes to "Check out", then they are switched from an HTTP connection to an HTTPS connection, so that all communications from their computer - assuming it wasn't hacked at McDonalds too - and my website on my VPS on my Hosting Company's system is "secure".

Is that what you were asking?


In which case the advice I would give is the same as ajohnson's....use the VPS.


Not trying to be a wiseguy, but that makes no sense...

A "Virtual Private Server" (VPS) is a virtual share on a physical server.

It has NOTHING to do with security...


I have been asking if a "Personal Virtual Private NETWORK" (VPN) by itself is secure to use on a Free Wi-Fi Network.

Completely different concepts...


Setup OpenVPN (which is essentially the same as other VPN providers, except that it's free and you control all of the security around it)


Yeah, but WiTopia is only like $50/year, and I'm probably not smart enough to set up my own OpenVPN.

PLUS, after reading things, the reason for my points above are that "I have no way to host a physical server back home, because there isn't one..."

So I don't see how OpenVPN would help?


and Squid on the VPS.


What does that mean?!


Have your browser proxy all of it's connections through Squid so that all of your web browsing is protected.


I don't understand how that relates to something like WiTopia or Hide My Ass, and why it would be better?


Essentially it's what I'm doing at the moment (although I have a stack more infrastructure running on the VPS) which protects my data when I'm anywhere away from home.

Plus it's a good learning experience!


I'm all about learning, but everyone here should no I'm really not qualified to do much of anything with security or networking...

I am just a serious consumerist trying to establish a reasonable amount of Privacy and Security, and avoid having a Data Breach with my Website's Data and Users...

I am also looking for solutions that are easy enough to implement, that I won't F*** them up and put myself at GREATER RISK than before, if you follow me...


If that's a bit too complicated for you, OpenSSH (as ajohnson said) works nearly as well.


Again, I'm not following that...


But coming back to my OP...

Could a person - who is not worried about the Feds, and who not doing anything illegal - establish enough Privacy and Security using just a "Personal VPN" (e.g. WiTopia) and Free Wi-Fi (e.g. McDonalds), to be able to ethically manage a Website with limited User Personally Identifiable Information?

Also, could a person do Online Banking, Shopping Online, etc. worry free?

I think my fear about connecting to the Internet via Free Wi-Fi while using WiTopia or HideMyAss, is that a hacker could somehow break up the "hand-shack" before I establish a "secure tunnel"...

If I had a JetPack from Verizon, in theory, unless you were sitting within 50 feet of me, and you knew my SSID, and you knew my passcode, them you couldn't break into Verizon's Wireless Network - at least not on my end.

By contrast, I just worry that it would be easier to hack into my WiTopia "secure tunnel" at McDonalds.

I do think that if a person truly established a "secure tunnel" with either Verizon or WiTopia, that either "secure tunnel" would be equally secure.

Although, the advantage of WiTopia, is that in practice, they are not logging the fact that I am a closet Justin Beiber freak...  *JUST KIDDING*

Does all of that make sense?!


Tom
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Apr 20, 2013 12:49 pm

Re: Personal VPN and Managing Server

Do you have SSH on your VPS?

If so, just open up a command prompt and type: ssh user@yourvps.com -D8080

Type in your password, and once you authenticate, go to Firefox (Preferences > Advanced > Network > Settings) and set your SOCKS proxy to be localhost on port 8080.

Done. Now your web traffic is sent through an encrypted tunnel between you and your VPS.

Go to ipchicken.com or a similar site, and you will see your VPS' IP instead of McDonalds' or wherever you.

Otherwise, go with one of the pay services if that makes you more comfortable.
The day you stop learning is the day you start becoming obsolete.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Sat Apr 20, 2013 9:51 pm

Re: Personal VPN and Managing Server

ajohnson wrote:Do you have SSH on your VPS?


I had my Web Host set up FileZilla with SecureFTP for me, but I don't know anything about SSH?!


Tom
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Mon Apr 22, 2013 7:41 am

Re: Personal VPN and Managing Server

Ok - as this thread is rapidly spiralling out of control.


  Code:
Is using WiTopia better than using a unsecured access point?

Yes (probably)

  Code:
Is using WiTopia secure enough to manage my VPS

Depends on how much you trust WiTopia not to sniff your traffic, but it sounds like your down to a "this or no protection" scenario, then, yes (probably)


Note I've put a lot of (probably) statments in there. WiTopia could be sniffing all of their outgoing traffic, so they've got a higher probability of stealing your data than random joe getting lucky at a starbucks.

A security professional should only trust the security they've put in themselves (and even then you probably shouldn't trust it, be paranoid), which is why we've been suggesting OpenVPN or SSH tunnels.


Oh and just to clarify my earlier statement:

Not trying to be a wiseguy, but that makes no sense...

A "Virtual Private Server" (VPS) is a virtual share on a physical server.

It has NOTHING to do with security...


What I meant was - you control the VPS, so install security software on there (SSH/OpenVPN) and then send all of your traffic through that VPN tunnel.

Hope that helps.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Mon Apr 22, 2013 9:54 am

Re: Personal VPN and Managing Server

UKSecurityGuy wrote:Ok - as this thread is rapidly spiralling out of control.


Not trying to make it so.


  Code:
Is using WiTopia better than using a unsecured access point?

Yes (probably)

  Code:
Is using WiTopia secure enough to manage my VPS


Depends on how much you trust WiTopia not to sniff your traffic, but it sounds like your down to a "this or no protection" scenario, then, yes (probably)


Wow, you are down on WiTopia!

Let me rewind...

As  understand things - which doesn't mean much - when I connect to my Server using FileZilla with SecureFTP, I have a "secure tunnel" from my Laptop to my Server.

That being said, I don't see why you keep saying, "If you can trust WiTopia not to sniff your data"?

(Even if they did, in theory, they would just see encrypted packets, right?)

My whole angle and paranoia with Free Wi-Fi and a Personal VPN is that something could get screwed up during the handshake with WiTopia while at McDonalds.

I am not questioning the security/privacy of the encrypted tunnel between me and WiTopia. 

(And I am not questioning the security/privacy of the encrypted tunnel between my FIleZilla and my Server.)

What I am worried about - because of my sheer ignorance on these topics - is that *maybe* it is much easier to "jump on board" at McDonalds when I do anything on the UN-secured Free Wi-Fi, even if I start using WiTopia from the get-go.

Follow me?

(I am assuming that it is MUCH harder to hack into the handshake process between, say, my Laptop and a Verizon JetPack and Verizon's 4G Network.)

Follow me?

Obviously I could have this all wrong, and thus is why I'm being a pest here.


Note I've put a lot of (probably) statments in there. WiTopia could be sniffing all of their outgoing traffic, so they've got a higher probability of stealing your data than random joe getting lucky at a starbucks.


SecureFTP with my Server should handle that.  And for everything else, if WiTopia was indeed sniffing people's communications, they wouldn't be in business very long...


A security professional should only trust the security they've put in themselves (and even then you probably shouldn't trust it, be paranoid), which is why we've been suggesting OpenVPN or SSH tunnels.


I apologize if I missed something you said, BUT I thought you or someone else made it sound like I needed a Physical Server back home to use OpenVPN...  (Remember, I don't have that...)

Did I misunderstand you?


Oh and just to clarify my earlier statement:

Not trying to be a wiseguy, but that makes no sense...

A "Virtual Private Server" (VPS) is a virtual share on a physical server.

It has NOTHING to do with security...


What I meant was - you control the VPS, so install security software on there (SSH/OpenVPN) and then send all of your traffic through that VPN tunnel.

Hope that helps.


Well, like I said above, my Web Host helped me set up FileZilla so it uses SecureFTP which is supposed to give me an encrypted tunnel between me and my Server.  (I'm not sure how that relates to SSH or OpenVPN...)


Tom
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Apr 22, 2013 11:38 am

Re: Personal VPN and Managing Server

Tom,

May be a little behind here, but you can fake the infrastructural using VPS systems. Put your OPEN VPN on a vps. While the cloud likes to rain on us, for somethings it can be leveraged.
OSWP, Sec+

Return to Wireless

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software