Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do you need a firewall if you have a VPN?


  • Please log in to reply
16 replies to this topic

#1 Deleted

Deleted

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 21 February 2015 - 08:52 PM

Sorry for the bad title and if I posted in the wrong forum, wasn't sure where this question would fit best. Anyways, my VPN's instructions for setting up comodo firewall to only allow vpn traffic is to have an allow all traffic going through the vpn rule. I'm guessing this rule will provide no firewall protection for traffic going through my vpn (all of my traffic) so I was wondering if that is a security threat? Does my VPN somehow act as a firewall? By the way, I have a router.



BC AdBot (Login to Remove)

 


m

#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 22 February 2015 - 01:10 PM

This is a subscription you have with a VPN provider? Not a corporate VPN?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Deleted

Deleted
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 22 February 2015 - 01:15 PM

This is a subscription you have with a VPN provider? Not a corporate VPN?

Yes, I'm subscribed with AirVPN.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 22 February 2015 - 01:42 PM

I looked at their site and saw that they only do remote port forwarding when you configure this explicitly.

But I did not find a section on Comodo in their help files. Can you tell me where you found it?

 

When you are connected to your VPN, can you open Windows' Network and Sharing Center and look under "View you active networks"? (that's for Windows 8).

What information is listed under your AirVPN connection? For example, does it say Public network, Private Network, ... ?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Deleted

Deleted
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 22 February 2015 - 02:41 PM

I looked at their site and saw that they only do remote port forwarding when you configure this explicitly.

But I did not find a section on Comodo in their help files. Can you tell me where you found it?

 

When you are connected to your VPN, can you open Windows' Network and Sharing Center and look under "View you active networks"? (that's for Windows 8).

What information is listed under your AirVPN connection? For example, does it say Public network, Private Network, ... ?

Heres the link to the guide: https://airvpn.org/topic/3405-windows-comodo-prevent-leaks/

 

It says public network. Also, I am not currently forwarding any ports by the way.


Edited by Deleted, 22 February 2015 - 02:42 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 22 February 2015 - 02:59 PM

OK, I see. This Comodo configuration recommended by AirVPN is to prevent DNS leaks and leaks in case of an unexpected VPN disconnection.

You understand what these leaks are? I can explain it if you want.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Deleted

Deleted
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 22 February 2015 - 03:17 PM

OK, I see. This Comodo configuration recommended by AirVPN is to prevent DNS leaks and leaks in case of an unexpected VPN disconnection.

You understand what these leaks are? I can explain it if you want.

Isn't DNS leak where people can find out your real IP address and location if your DNS servers are not configured properly so it still shows your ISP DNS? And then the other leak is if something gets through without going through your vpn which would then "leak" your real IP address?



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 22 February 2015 - 03:28 PM

Before I answer that, I have a question.

What I get from your explanation, is that your concern is that the servers to which you connect see your real IP address (i.e. the public IP address assigned to you by your ISP)?

Your concern is not that your ISP sees to which servers you are connecting? Because then DNS-leaks are not a concern to you.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Deleted

Deleted
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 22 February 2015 - 03:43 PM

Before I answer that, I have a question.

What I get from your explanation, is that your concern is that the servers to which you connect see your real IP address (i.e. the public IP address assigned to you by your ISP)?

Your concern is not that your ISP sees to which servers you are connecting? Because then DNS-leaks are not a concern to you.

Sorry, I don't really understand your question. I don't want websites and internet programs, etc to see my real DNS server or real IP that has been given to me by my ISP for privacy reasons. I was wondering if it would be safe to set comodo firewall up the way airvpn instructed and if it would cause any security issues.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 22 February 2015 - 04:16 PM

Websites don't see your real DNS server. They see your real IP address: this is called the public IP address assigned to you by your ISP.

 

If you use a VPN, then they see the IP address of your VPN provider, not your public IP address.

AirVPN wants to address the following problem (amongst others) when you use their service by configuring Comodo:

 

Say you are downloading from a website through the VPN tunnel. And you are using a downloader program that automatically resumes the download when interruptions occur.

Now, for whatever reason, your VPN connection gets interrupted. You are no longer using the VPN tunnel, because it is down.

Then your downloader program will notice that the connection was interrupted, and establish a new connection to resume the download.

But since your VPN tunnel is down, you will connect directly from your machine to the web-server, hence the web-server will register your public IP address.

 

AirVPN's suggested Comodo configuration is designed to prevent this.

 

DNS-leaking is another problem they address with the configuration (but it's not a problem you are concerned about).

DNS leaks occur when your machine has a VPN tunnel, but makes DNS requests that don't go through the tunnel (but via your public IP address).

 

Disclaimer: I only took a superficial look at AirVPN's recommended Comodo configuration. But they make a good impression.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Deleted

Deleted
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 22 February 2015 - 04:41 PM

Websites don't see your real DNS server. They see your real IP address: this is called the public IP address assigned to you by your ISP.

 

If you use a VPN, then they see the IP address of your VPN provider, not your public IP address.

AirVPN wants to address the following problem (amongst others) when you use their service by configuring Comodo:

 

Say you are downloading from a website through the VPN tunnel. And you are using a downloader program that automatically resumes the download when interruptions occur.

Now, for whatever reason, your VPN connection gets interrupted. You are no longer using the VPN tunnel, because it is down.

Then your downloader program will notice that the connection was interrupted, and establish a new connection to resume the download.

But since your VPN tunnel is down, you will connect directly from your machine to the web-server, hence the web-server will register your public IP address.

 

AirVPN's suggested Comodo configuration is designed to prevent this.

 

DNS-leaking is another problem they address with the configuration (but it's not a problem you are concerned about).

DNS leaks occur when your machine has a VPN tunnel, but makes DNS requests that don't go through the tunnel (but via your public IP address).

 

Disclaimer: I only took a superficial look at AirVPN's recommended Comodo configuration. But they make a good impression.

Sorry, so it would be safe to follow those instructions? Wouldn't compromise security at all?


Edited by Deleted, 22 February 2015 - 04:41 PM.


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 22 February 2015 - 05:17 PM

So you have not yet configured your firewall as instructed by AirVPN?

 

I'm not familiar with Comodo firewall, but it seems to me that these rules are designed for VPN use only.

I understand that you will not be able to access the Internet unless you have a VPN tunnel. Is that what you want?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Deleted

Deleted
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 22 February 2015 - 05:50 PM

So you have not yet configured your firewall as instructed by AirVPN?

 

I'm not familiar with Comodo firewall, but it seems to me that these rules are designed for VPN use only.

I understand that you will not be able to access the Internet unless you have a VPN tunnel. Is that what you want?

I have not configured it yet.

 

And yes, I would like to only use my vpn for internet access.



#14 Deleted

Deleted
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 24 February 2015 - 06:08 PM

So you have not yet configured your firewall as instructed by AirVPN?

 

I'm not familiar with Comodo firewall, but it seems to me that these rules are designed for VPN use only.

I understand that you will not be able to access the Internet unless you have a VPN tunnel. Is that what you want?

Sorry, so would it be safe to follow these instructions then security wise?



#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 25 February 2015 - 11:49 AM

 

So you have not yet configured your firewall as instructed by AirVPN?

 

I'm not familiar with Comodo firewall, but it seems to me that these rules are designed for VPN use only.

I understand that you will not be able to access the Internet unless you have a VPN tunnel. Is that what you want?

Sorry, so would it be safe to follow these instructions then security wise?

 

 

They look OK to me, but like I said, I'm not very familiar with Comodo, so I can't guarantee that the rules are complete and consistent.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users