VPN Traffic Monitoring by Employer?

[MoraisGT]

Hi guys,

 

I hope that I'm not creating this thread in the wrong place, but here goes...

 

What I want to know is, if I am connected to a VPN can my employer see what I'm browsing?

 

I don't know for sure how the networking infrastructure/routes are set up in my company but it should be something along these lines:

 

- Employee PC's are registered on the Intranet server (which acts as the DNS for the intranet);

- All request from employee pc's go through the Intranet server which forwards said requests to the Communications server (possible proxy setup here). This server sends the requests to the actual Internet and then the process reverses.

 

I know for a fact that there is also a VPN but I doubt that the traffic from local pc's goes through it.

 

 

What do you guys think?

 

Thank's in advance!

 

Reggards,

MoraisGT

[mcraftax]

VPN connection make the connection as if you are in the LAN, so if you are connected bellow the other servers, yes they can do what they do to normal traffic.

[RobinHood5]

It all depends on what their keeping for logs and if they even know how to access them but ultimately the answer is yes, they can absolutely see everything you do on the internet while connected to the VPN if they really wanted.

[mluton]

The VPN hardware we install for customers only shows the IP traffic / connection for the VPN not the "content".

[MoraisGT]

Thank's for the input guy's

 

@mluton, @RobinHood5 Well what "worries" me is that all the servers, including the vpn and what not that "run" the company, all operate on a custom Linux based operating system made BY the company itself

 

I don't know if this changes anything but I thought it would be worth pointing out.

[Huntsman]

They can know what site you connected to but not the actual content. It's like your boss knows you went on Facebook but can't really see what's on your screen.

[MoraisGT]

Ok then, i understand that it would be a waste of time using a vpn at work.

 

I guess the only way to "hide" my browsing habits would be to, for example, connecting to my home pc through Team Viewer and browsing from it, right?

[mluton]

VPN will work, but if they monitor it they will see a connection back to your "home". Thats if they allow their firewall to allow outgoing VPN Connections.

 

Team viewer will be your best bet to avoid your content being seen by a firewall, all they will see if they monitor is a teamviewer session.

[KuJoe]

If the employer is smart and has a semi-competent IT team then they can see everything you're doing over the VPN whether or not you encrypt it. It's not hard at all to inject their own certificates into your packets so they have the key to unencrypt them easily. Connecting through an RDP session is somewhat more secure, but keep in mind that they'll then have the login and password to your remote computer and can access it and the content at any time (not like they would, but a rogue admin can easily write this info down on a notepad and have some fun later).

[MoraisGT]

@mluton I don't have a VPN set up in my home. I use PIA.

 

@KuJoe Is it really that easy to inject certificates into a vpn tunnel?

For example if I'm using public wifi at a mall and someone sees me connecting to a vpn could they do that to be able to decrypt my traffic? Or is this a completly different situation?

 

Thnak you for the info

[beavo451]

3 hours ago, MoraisGT said:

@mluton I don't have a VPN set up in my home. I use PIA.

 

@KuJoe Is it really that easy to inject certificates into a vpn tunnel?

For example if I'm using public wifi at a mall and someone sees me connecting to a vpn could they do that to be able to decrypt my traffic? Or is this a completly different situation?

 

Thnak you for the info

The easiest solution is to, you know, actually work instead of surfing the Internet.

 

If you really feel the need to hide browsing from your employer, use your phone.

[MoraisGT]

20 minutes ago, beavo451 said:

The easiest solution is to, you know, actually work instead of surfing the Internet.

 

If you really feel the need to hide browsing from your employer, use your phone.

I was wondering when a comment like yours would turn up....

 

I don't work 9 hours straight, I do small pauses from time to time, plus the lunch break.

 

If you work from dawn to dusk continualy then good for you, but that's not me.....

 

Plus I dont REALLY need to hide my browsing habbits, we have a very open policy reggarding this subject, I was just asking mostly out of curiosity (and a bit of paranoia :D).

[leadeater]

4 hours ago, MoraisGT said:

 

@KuJoe Is it really that easy to inject certificates into a vpn tunnel?

For example if I'm using public wifi at a mall and someone sees me connecting to a vpn could they do that to be able to decrypt my traffic? Or is this a completly different situation?

What gives them the ability to do it so easily is that they are in control of the network equipment that your computer must connect through to get internet access. Without this direct control someone would need to get between your traffic and the destination, dns exploit etc.

 

Network security people would call this SSL Inspection or Full SSL Inspection but that is just a pretty name for Man in the Middle Attack. Personally I'm in favor of not doing this kind of network inspection as it breaks the fundamental purpose of SSL, PKI, encryption etc and is an invasion of privacy. The use of it should only be done when absolutely required and in my opinion made very clear to users that it is in place and not to use internet banking etc, having it on can be a legal risk if used improperly or not fully disclosed.

 

http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/

 

[KuJoe]

5 hours ago, MoraisGT said:

 

@KuJoe Is it really that easy to inject certificates into a vpn tunnel?

For example if I'm using public wifi at a mall and someone sees me connecting to a vpn could they do that to be able to decrypt my traffic? Or is this a completly different situation?

 

Thnak you for the info

Depending on the network setup it's really easy. If they use proxy/firewall appliances then it's even easy and probably built into the appliance. I agree with what @leadeater said, but some companies in certain sectors are required to do this in order to block certain traffic (this is especially important in the financial sector where data is heavily audited and the government needs to ensure there's nothing illegal going on like insider trading or ponzi scemes, it's also common in sectors where the employer has a high liability like education and health, I have seen it at technical companies who take extreme measures to protect their intellectual property). I don't know how common it is in other sectors but having networked with a lot of IT professionals and done enough contract work, I've seen enough companies doing this where I would only access non-work related sites on a guest network and never the employee network.

[beavo451]

2 hours ago, MoraisGT said:

I was wondering when a comment like yours would turn up....

 

I don't work 9 hours straight, I do small pauses from time to time, plus the lunch break.

 

If you work from dawn to dusk continualy then good for you, but that's not me.....

 

Plus I dont REALLY need to hide my browsing habbits, we have a very open policy reggarding this subject, I was just asking mostly out of curiosity (and a bit of paranoia :D).

Then your employer would have no problem with you browsing the Internet from time to time.

 

Again, if you want to hide your browsing, then use your phone. You have no right to privacy on company owned equipment.