Reply
Thread Tools Display Modes
#1
Old 11-06-2012, 10:50 AM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
Can my boss see this on my VPN/RDP

My Situation: I work from home and use a Cisco IPSec VPN using DHCP from both a Mac and PC to RDP/RDC to my office PC. I want to keep the VPN on the Mac connected all the time because I have to reboot nearly every time I disconnect and want to reconnect - long story.

My Question: Can my employer track activity like email, web surfing, writing the next great American novel, etc. on my home Mac or PC when I am connected to the VPN but not connected to the RDC? I am under the impression that I need to be inside the RDC for them to "see" what I am doing. Conversely, I believe that when I leave the VPN connected, like I want to, they cannot see what I am doing outside of the RDC window.

Not to seem ungrateful that you bothered to even read this thread, but I have found wildly conflicting answers to my Google search on this question. If someone has a pretty firm understanding of my question and confident answer I'd appreciate it a lot. So if you have a IMHO or "Don't have any real experience with this situation" or "I'm not sure, but..." answer that is going to hijack this thread into another discussion please hold off until we find a guru that can help. Just kinda anxious to get an answer.
#2
Old 11-06-2012, 10:58 AM
Guest
Join Date: Dec 2004
Posts: 816
So just to be clear, you VPN into your company network and then RDP your company desktop.
And you want to know if your company can track what you do if the VPN is active, but not the RDP.
The answer to that would be - it depends. Certainly they could track where you went that wasn't local to your machine (company network or Internet), whether they do or not is another question.
However, activities that are entirely local to your home machine (writing the great American novel, saving it on your local hard drive) shouldn't be trackable to them. That said I wouldn't do it - the chances of forgetting and going to some site you prefer they didn't know about your interest in seems too high.
#3
Old 11-06-2012, 11:00 AM
Guest
Join Date: Jan 2006
Location: Minnesota
Posts: 23
on your Windows machine at the command prompt type " tracert yahoo.com ". the results will show you what machines are between you and Yahoo. the first machine will be your local router and the next machine will be your internet service provider IF your traffic is going directly to the Internet. hopefully your responses will include named addresses rather than just IP addresses. if you can't distinguish those addresses, post your results.
#4
Old 11-06-2012, 11:16 AM
Voodoo Adult (Slight Return)
Charter Member
Join Date: Jul 2000
Location: Charlotte, NC, USA
Posts: 24,874
Quote:
Originally Posted by erpa View Post
hopefully your responses will include named addresses rather than just IP addresses.
FWIW, the version of tracert that XP uses defaults to showing hostnames if they are available, so that shouldn't be a problem. If you don't seem to get any hostnames (just IP addresses), type tracert /? to see if the version you're using has a switch you can turn on to show them.
#5
Old 11-06-2012, 11:16 AM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
I ran the trace from the Mac - same as the PC version, and got IP #s instead of actual names for the first lines. Is it safe to copy and paste the results here?
#6
Old 11-06-2012, 11:25 AM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
OK, cranked up the PC (Windows 7 Pro) and ran the trace in CMD there and found the first line, as stated by erpa, is my Local router, second looks like my ISP - located in Baltimore MD - very close to where I live. The next lines are similar. I am trying to cut and paste from the CMD window. Any ideas on how to get the info from there to here?
#7
Old 11-06-2012, 11:31 AM
Member
Join Date: Jul 2003
Location: Sacramento, CA
Posts: 7,805
Typically, connecting to a VPN results in all network traffic from your machine being redirected through the VPN. Basically, you set up a direct tunnel between your machine and your office, so that your machine virtually appears on the private (office) network. So, in that case, all network traffic from your computer goers first through the VPN to the network at your workplace, and then to the Internet via your work's ISP.

So the short answer is: yes, your boss can see your network traffic if he decides to look. He probably isn't actually looking, though it's quite possible that all the web sites you visit are being logged somewhere "just in case".
#8
Old 11-06-2012, 11:42 AM
Guest
Join Date: Jul 2007
Location: West Lothian
Posts: 2,574
Quote:
Originally Posted by DavidPeab View Post
OK, cranked up the PC (Windows 7 Pro) and ran the trace in CMD there and found the first line, as stated by erpa, is my Local router, second looks like my ISP - located in Baltimore MD - very close to where I live. The next lines are similar. I am trying to cut and paste from the CMD window. Any ideas on how to get the info from there to here?
To C&P from the Windows CMD you can use the menu at the top left corner of the CMD window. Choose Edit-Mark and use the shift-arrow keys to select. You can then choose Edit-Copy or just press enter to copy your selection.
#9
Old 11-06-2012, 11:45 AM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
So I'm gonna type what seems pertinent to this issue line by line without the ping speeds or actual IP addresses - aargh BTW, this trace was performed with my VPN connected of course.

1. Wireless_Broadban_Router.home [IP#]
2. L100.BLTMD-VFTTP-32.verizon-gni.net [IP#]
3. G0-5-0-2.BLTMD-LCR-22.verizon-gni.net[IP#]
4. ae1-0.PHIL-BB-RTR1.verizon-gni.net [IP#]
5. so-8-0-3-0.RES-BB-RTR1.verizon-gni.net
6. s0-6-0-0-0.ASH-PEER-RTR1-rel.verizon-gni.net [IP#]
7. IP#
8. ae-6.pat.dcp.yahoo.com [IP#]
9. More yahoo.com listings code

Of note: No 2 IP addresses are the same and I do not see the IP I entered in Network Setup on the Mac or the Cisco VPN software on the PC. So, am I cool to do my own thing outside of my RDC - either turned off or minimized?
#10
Old 11-06-2012, 11:57 AM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
Try again

Quote:
To C&P from the Windows CMD you can use the menu at the top left corner of the CMD window. Choose Edit-Mark and use the shift-arrow keys to select. You can then choose Edit-Copy or just press enter to copy your selection.
Thanks. Here is what I got - Full IP addresses deleted due to the same paranoia that started this thread.

Tracing route to ds-any-fp3-real.wa1.b.yahoo.com [98.139.183.X]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms Wireless_Broadband_Router.home [192.168.X.X]
2 6 ms 9 ms 4 ms L100.BLTMMD-VFTTP-32.verizon-gni.net [96.234.X
.X]
3 8 ms 5 ms 9 ms G0-5-0-2.BLTMMD-LCR-22.verizon-gni.net [130.81.
X.X]
4 46 ms 19 ms 23 ms ae1-0.PHIL-BB-RTR1.verizon-gni.net [130.81.X.
X]
5 28 ms 23 ms 43 ms so-8-0-3-0.RES-BB-RTR1.verizon-gni.net [130.81.
X.X]
6 13 ms 34 ms 15 ms so-6-0-0-0.ASH-PEER-RTR1-re1.verizon-gni.net [1
0.81.X.X]
7 12 ms 12 ms 11 ms 130.81.X.X
8 12 ms 12 ms 12 ms ae-6.pat1.dcp.yahoo.com [216.115.102.174]
9 39 ms 40 ms 34 ms ae-4.pat1.che.yahoo.com [216.115.101.153]
10 40 ms 43 ms 93 ms ae-5.pat2.bfz.yahoo.com [216.115.96.67]
11 110 ms 110 ms 38 ms ae-4.msr2.bf1.yahoo.com [216.115.100.73]
12 90 ms 51 ms 89 ms ae-4.msr1.bf1.yahoo.com [216.115.100.25]
13 40 ms 56 ms 41 ms et-18-25.fab4-1-gdc.bf1.yahoo.com [98.139.128.5
]
14 81 ms 54 ms 78 ms po-12.bas2-7-prd.bf1.yahoo.com [98.139.129.195]

15 80 ms 447 ms 440 ms ir2.fp.vip.bf1.yahoo.com [98.139.183.24]

Trace complete.
#11
Old 11-06-2012, 03:35 PM
Guest
Join Date: Aug 2001
Posts: 7,083
Despite what was said above, it is quite common for VPN clients to be configured so that only company traffic goes via the VPN, and everything else goes via your local router as usual, a set-up known as split tunnelling. That appears to be the case here.

But that doesn't necessarily mean that your company's VPN software isn't logging activity of various sorts. Some VPN products allow the administrator to enforce things such as anti-virus or anti-malware compliance on client devices, for example. Who knows what such software might report back to base?

Last edited by Ximenean; 11-06-2012 at 03:37 PM.
#12
Old 11-06-2012, 05:14 PM
Guest
Join Date: Feb 2009
Posts: 13,239
It's possible for the VPN to allow the company to put an activity tracker on your PC or Mac - but the legality of that would be questionable especially without notification. It's your computer, you did not agree to have you personal activity tracked, it's not a common function, (I haven't heard of it being a usual activity to put a bug on someone's home PC) etc.

However, it might happen that smething gets pushed out to yuor PC by accident, but usually this is a group policy from the domain, and your PC is not in the domain.

As mentioned above - it does not appear that ALL traffic goes through the VPN while you are connected. If it did, they could track your internet action since it would go out their firewall/proxy. But, since your yahoo traffic simply goes out your router to your ISP, you are still private.
#13
Old 11-06-2012, 05:39 PM
XT XT is offline
Agnatheist
Charter Member
Join Date: Apr 2003
Location: The Great South West
Posts: 32,511
Quote:
My Question: Can my employer track activity like email, web surfing, writing the next great American novel, etc. on my home Mac or PC when I am connected to the VPN but not connected to the RDC? I am under the impression that I need to be inside the RDC for them to "see" what I am doing. Conversely, I believe that when I leave the VPN connected, like I want to, they cannot see what I am doing outside of the RDC window.
As others have said, it depends. If you have split tunnel VPN set up on your network (most likely you do, though it's not the default on a CISCO ASA or PIX firewalls, IIRC), as ximenean said, then your web traffic will go out your local ISP connection and so your boss wouldn't be able to see that...it would be exactly the same as if you just used your home connection without establishing the VPN tunnel. If you don't have split tunneling set up though, then yeah...they would be able to see what your web traffic was, assuming they wanted to and have some capability to do so.

Quote:
Not to seem ungrateful that you bothered to even read this thread, but I have found wildly conflicting answers to my Google search on this question. If someone has a pretty firm understanding of my question and confident answer I'd appreciate it a lot. So if you have a IMHO or "Don't have any real experience with this situation" or "I'm not sure, but..." answer that is going to hijack this thread into another discussion please hold off until we find a guru that can help. Just kinda anxious to get an answer.
Well, like has been said, the real answer is 'it depends', because only your IT guys know how they have it set up. That's part of why you get conflicting answers on Google (and here too), because there isn't a definitive answer. The other reason, of course, is that a lot of people think they know how things like VPN work, but actually they don't.

Last edited by XT; 11-06-2012 at 05:40 PM.
#14
Old 11-06-2012, 05:51 PM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
Quote:
a lot of people think they know how things like VPN work, but actually they don't
I know I don't. Well not the really technical details. I guess I could ask the IT department about it, but that might raise some suspicions. Unwarranted of course - just in case they CAN see this.

My employer is pretty cool to begin with. In the 21 years I've worked there we get a notice about every 9 months saying something like "Look people, we know you like YouTube, but stop downloading entire movies because it's killing our bandwidth." Since I am working on my own paid for computers on my own paid for FIOS connection using a lot of my own paid for software in my own private home, I'm gonna take my chances. I always make it a point to do personal stuff on my home PCs and not the one in the office connected through the RDC.

Thanks for all your help. And of course if anyone else has more advice, I'm listening.
#15
Old 11-06-2012, 06:01 PM
Guest
Join Date: Apr 2007
Posts: 3,457
Quote:
Originally Posted by DavidPeab View Post
I know I don't. Well not the really technical details. I guess I could ask the IT department about it, but that might raise some suspicions. Unwarranted of course - just in case they CAN see this.
You could phrase the question in terms of saying you stream Pandora constantly or stream lots of Netflicks in your off hours, and would hate to inadvertently waste the company's bandwidth, so does non-RDC traffic go through their network or is it private. That wouldn't guarantee a useful answer to whether it's possible for them to see it, but I think it would avoid raising suspicions.
#16
Old 11-06-2012, 06:10 PM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
It's a good approach. I thought about it and figure they'd just tell me to get off of the VPN. Then I'd say, "Well I have to reboot the Mac every time I want to log back on, and it's a real pain." Then they'd say, "We don't support Mac so use your PC and get a haircut you hippie." Well, I added that last part. I do graphic design, so I prefer the Mac for that. Although I also like my PC just as well. Just not so much for artsy-fartsy design stuff.
#17
Old 11-07-2012, 03:51 AM
Member
Join Date: Apr 2002
Location: Edmonton
Posts: 3,835
I've no idea about how Cisco VPNs work by default, but if anyone is wondering about Windows, it will route traffic via VPNs by default; you can stop it by going to the VPN IPV4/6 Properties, selecting "Advanced", and unchecking "Use default gateway on remote network".
#18
Old 11-07-2012, 12:12 PM
Guest
Join Date: Nov 2012
Location: Pasadena
Posts: 23
SOLVED: I stopped using the Mac OS X built in VPN and installed Cisco's VPN for Mac and it seems to be more stable (Not a surprise). I even found a more "Mac-like" icon to use.
#19
Old 11-07-2012, 12:43 PM
Guest
Join Date: Feb 2009
Posts: 13,239
IIRC if you have a split tunnel, then you can get to other machines on the home network (including the home router management web page).

In my experience, when the more secure dedicated tunnel VPN is activated, you cannot even access your home network. This is logical security - they don't want a computer that is talking both on the corporate network and on a network they have no control or security set up for. It's basically like leaving the side door to their business unlocked.
#20
Old 11-07-2012, 05:32 PM
Member
Join Date: Jul 2000
Posts: 974
Isn't DavidPeab connecting to the VPN through his internet connection with his local ISP? If that's the case, what's telling the browser on his home computer to use his work gateway instead of his ISP? His internet browsing would be much slower if it was going through the VPN.

David, for a definitive answer, you need to compare the traceroute when you're not connected to the VPN, with a traceroute when you ARE connected. If the two are roughly identical, with no stop at your office Gateway, you have nothing to worry about. I hope you post the result, I'm very curious.
#21
Old 11-07-2012, 07:04 PM
Guest
Join Date: Jan 2006
Location: Minnesota
Posts: 23
David, it looks to me like you in fact are doing split tunnel so that your internet bound traffic is going out your ISP, not through your company.

I've managed head-end remote access VPN in a large enterprise, and although its not impossible to replicate your traffic so that it goes down both forks (allowing them to monitor you), it is highly improbable that they would be doing that. It would take administrative rights on your machine to push policies and software in addition to expensive support on the head end side. And what do they stand to gain from that expensive effort?

I do admire your concern. People who are careless with technology become responsible for restrictive rules that end up removing lots of the benefits that techology should provide.
#22
Old 11-07-2012, 08:37 PM
Member
Join Date: Jul 2000
Posts: 974
How does the VPN client take over one's internet connection so that other programs, like one's browser can't access it directly? How does this "tunnel" (which is just a bunch of packet data) exert control over its carrier (TCP/IP) connection which it needs in order to exist?

Erpa, why does it look to you like he's got a "split-tunnel", except for the fact he's not complaining about the slowness of his internet connection? How did you come to that conclusion?

It's been a while since I took my Cisco router classes, but a check with http://en.wikipedia.org/wiki/VPN specifically the example given, shows that there is no indication that the VPN client on the home computer can or would redirect the internet connection.
#23
Old 11-07-2012, 08:57 PM
XT XT is offline
Agnatheist
Charter Member
Join Date: Apr 2003
Location: The Great South West
Posts: 32,511
Quote:
Originally Posted by Rusalka
How does the VPN client take over one's internet connection so that other programs, like one's browser can't access it directly? How does this "tunnel" (which is just a bunch of packet data) exert control over its carrier (TCP/IP) connection which it needs in order to exist?
Might help to start with what a VPN tunnel is. Here:

Quote:
Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.
So, what's happening in simple terms is that when you run a VPN client, it's creating a virtual connection between your PC and the gateway device. All it's outbound traffic is being encrypted and sent over this virtual tunnel from your PC to the gateway.

Unless of course the client supports a split tunnel...in which case the client (based on rules that reside on the gateway...in this case probably an ASA or PIX since we are talking CISCO) decides whether the traffic you are sending is to the local (private) network you are trying to attach too (say, the email server, or domain server, or some other services server inside the firewall of the target network you are trying to VPN into) or if you are trying to hit alt.sex.farmanimals.com (totally made that up btw )...in which case that doesn't go through the tunnel and instead is simply sent directly to the ISP you are connecting too.

Quote:
Erpa, why does it look to you like he's got a "split-tunnel", except for the fact he's not complaining about the slowness of his internet connection? How did you come to that conclusion?
Well, most organizations that use a CISCO firewall set up the rules that allow the client to do a split tunnel. It's pretty easy to do. I don't know where Erpa drew this conclusion, but it seems reasonable...and the OP is now actually using the CISCO IPSEC client (which, btw, I believe CISCO is going to be discontinuing sometime in the near future, at least that's my understanding) and is now reporting less problems.

Quote:
It's been a while since I took my Cisco router classes, but a check with http://en.wikipedia.org/wiki/VPN specifically the example given, shows that there is no indication that the VPN client on the home computer can or would redirect the internet connection.
You wouldn't have this on the router (well, unless you have a router that has the ASA or PIX firewall imbedded). There are all sorts of guides, but here is a white paper on setting up split tunneling on an ASA/PIX firewall using ASDM v7.x that you can get a feel for what is involved. It's pretty simply, and with the ASDM GUI it's almost laughably easy to configure.

Last edited by XT; 11-07-2012 at 08:57 PM.
#24
Old 11-08-2012, 02:46 PM
Guest
Join Date: Aug 2001
Posts: 7,083
Quote:
Originally Posted by Rusalka View Post
Erpa, why does it look to you like he's got a "split-tunnel", except for the fact he's not complaining about the slowness of his internet connection?
Because of the traceroute test. Despite being connected to the company VPN, it looks like the route to websites such as Yahoo is via the physical router and ISP.

Another way to check is to compare the operating system's IP routing table when connected, to that when not connected. When not connected, there will an entry saying something like

192.168.1.0 255.255.255.0 On-link 192.168.1.3

which means "send anything on the same network directly via your network adapter" (the adapter's address being 192.168.1.3), and another one saying something like

0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.3

which means "send everything else via the router at 192.168.1.254 (which is reached through your adapter at 192.168.1.3)". This corresponds to the "default gateway" setting.

When he connects to the VPN, it will typically modify the routing table. First, an extra, virtual adapter will be created with an address on the remote network, and an entry similar to the first one above will be added. Secondly, if the policy is for all traffic to go via the VPN, the second entry will be temporarily modified to refer to a router on the remote network.
If the policy is more selective, there may instead be entries for certain networks that are to be reached via the VPN, but the catch-all "0.0.0.0" entry will still point to your domestic router.

I have seen some VPN clients that seem to do network voodoo at a lower level than the routing table, but the above is how they often work.
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:45 PM.

Copyright © 2017
Best Topics: profilext answer key shameless hymie longest living insects danny the shield pantie pocket red strips gatorade and alcohol till lindemann groupies target zyrtec lava soil car hitting mailbox rhyming jokes braided perm ultraviolet comic kindle firestick neosporin inside nose jesus nickname boiling spoiled milk 10 pence coin two laned road erection after castration sex with ape bull fighting music exploding jawbreaker dp experience refrigerate coffee grounds wound tighter than mayonnaise diarrhea comcast audio jonbenet name firefly range fuck me pump ilan pronunciation anice inn bare hard drive dental team names major dickason's blend review new glasses make me nauseous rah rah sis boom bah what is the difference between registered mail and certified mail george foreman grill for paninis my cat keeps peeing on my stuff can you suffocate in a car what is the 9th and 10th amendment world's best cat litter bugs my name is a reminder of a pop song tony soprano panic attack ankle hurts in the morning like animals more than humans benny and the jets meaning stray cat wants to come inside concrete block vs poured concrete how to hide a security camera outside how to cook a tombstone pizza biopsy of the uterus does it hurt how often should you replace car battery how long does a forwarded package take is arthur an aardvark or an anteater how to caulk a wide gap hard to read license plates what does 2 to 1 odds mean what does rolfmao mean what are june bugs purpose how to turn on heater in car toronto to chicago drive time do kissing booths still exist what engines fit my car american pie beta house actor