Using VPN to secure data sent over LAN to the internet

[volunteercenter]

I'm trying to achieve the following setup:

(workstation) --encrypts data, so no sniffer can discover it on the local network--> (trusted server @ a remote location) --decrypts data and sends it over the internet to its destination--> (internet)

and vice versa for data coming back in.

The primary concern here is encrypting the data such that anyone on the LAN will not be able to sniff out what's being sent, including URLs, etc.

Is this possible by setting up the VPN client on the workstation and the server on the TRUSTED SERVER @ the remote location?

Any thoughts on how to go about this? I'm a bit puzzled... thanks and I appreciate any responses.

 

[volunteercenter]

NOTE:

I'm basically trying to encrypt all data sent from one workstation so no one on the LAN can sniff it out.

(workstation) -encrypts-> (trusted system, decrypts data) -goes to destination on the internet-> (internet). and vice versa.

possible?

 

[volunteercenter]

Any thoughts anyone? Suggestions on other technologies to look at to secure communications? I'm worried about LAN users sniffing out my data.

 

[bierhunter]

Maybe someone else can add to this, but here's what I see your problem is.

1. You're network admin/engineer will be able to see whatever he wants (if he/she knows how).

Ok..understanding that, the only way I can think of encrypting the URLs is to use a program that does the encryption BEFORE it leaves the PC.

Once a packet leaves the computer, it can be sniffed by anyone who has access to that LAN segment (and the ability/authority to do so).

If you're worried about sensitive information, you need to use some software (or hardware) that encrypts the data before it hits the network. We use some stuff like that for our clients, but I can't go into specifics.

 

[John Lewis]

Is this possible by setting up the VPN client on the workstation and the server on the TRUSTED SERVER @ the remote location?

Yes, it is.

the only way I can think of encrypting the URLs is to use a program that does the encryption BEFORE it leaves the PC.

Wouldn't that generally be the idea of using a VPN tunnel?

 

[bierhunter]

"Wouldn't that generally be the idea of using a VPN tunnel?"

Not necessarily. It depends. Where is the VPN tunnel created? On the PC or on the gateway?

If the tunnel is on the gateway (like most business networks), then the encryption takes place when the packet leaves the LAN. If the tunnel is created at the PC (like many home systems), then the encryption takes place on the PC.

You have to consider where the PC is physically and logically located on the network to understand how it communicates.

Another example...Say an executive VPNs from home to the company network. Encryption happens from home to company, but not after that point. Then, the same person goes out to a branch office across a site to site vpn managed by the company network.

Here's the encryption scheme....

Home to company...encrypted.
Company vpn server (from home) to gateway...not encrypted.
Gateway to branch office across VPN...encrypted...but unencrypted once it gets there.

You see...it really depends upon how and where your traffic is going.

If you absolutely have to have your data encrypted, you are going to have to encrypt it BEFORE it hits the switch you are connected to.

I can sniff any packet on any switch port on my network...and you would never know it. If it's not encrypted, I can read it.

The same thing happens where you are at.

 

[John Lewis]

From volunteercenter's original post . . . (workstation) --encrypts data, so no sniffer can discover it on the local network would indicate that the VPN client endpoint would be at an individual PC, not the gateway . . . --> (trusted server @ a remote location) --decrypts data would indicate a VPN server endpoint off premise and beyond the realm of a packet sniffer on the local network.

 

[volunteercenter]

The solution i decided to use is SSH tunneling with a software called PuTTY. IT does a port forwarding deal through an SSH connection.

I created a proxy with Apache, setup PuTTY to forward port 80 to 5050 on my local machine(the port which the proxy is setup on) and now for my proxy settings i'm using 127.0.0.1:5050. Same goes with port 25 and 110 for mail.

It's a neat solution and only took a couple hours to understand and setup.

I appreciate the reponses everyone, pls let me know your thoughts and insights on the solution i'm using presently. Perhaps someone else purusing through these forums may have a similar question.