2

I've been searching about VPN for more than an hour, and all the answers I found on this site or others are either confusing or contradicting.

My issue is that I usually access my company VPN through Cisco AnyConnect Secure Mobility client from my home computer. A colleague told me that they can "monitor" my home computer when the Cisco client is connected.

Some in the community say that a VPN is a 2-way connection: if you can access anything on your work computer then they can access anything on your home computer. HOW? I thought that I am the client and they are the server (the Cisco software is called client after all..). And if this is true, in what capacity they can access my computer? Screen grabs? Full drives access? Full admin privilege on my computer? Network traffic?

Some say that if they got split-tunneling then they can access your computer. How can I know if split-tunneling is activated?

In case they can access my computer, HOW can I stop them? How can I protect my important files/folders/drives?

Please, try to simplify the networking-specific explanations as possible.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ruben Bourtoutian
  • 31
  • 1
  • 5
  • related: https://security.stackexchange.com/questions/197526/company-vpn-and-privacy-cisco-anyconnect – schroeder Mar 18 '20 at 16:52
  • If you're worried about monitoring, have you tried connecting from a VM? Should they indeed monitor the system, they won't be seeing much. – Mast Mar 19 '20 at 07:39

2 Answers2

8

"Monitor" can mean many things.

Monitor Your Traffic

If the client is not controlled by the employer, they can only monitor your traffic across the VPN on their side and not your file system/desktop.

2-way communication does not mean that they suddenly can log into your machine. It means that the traffic from the employer network might also reach your home machine through the VPN connection, depending on how it is configured.

No, split tunneling does not mean that they can access your machine.

Monitor Your System

However, other types of remote management clients do allow them to view your system, file system, and other things. It's important to know the difference.

For that particular client, it offers a DNS product called Umbrella, that could allow your employer to see sites you visit. It also has an optional plugin that does allow for full visibility on your device. You would have to know what services/options are enabled on the client.

General Advice

You need to work with your IT team, and possibly your HR and DPO, to understand exactly what you are being asked to install on your personal devices.

In general, employer-provided and controlled clients should not be installed on private machines. You can get clients from vendors (like from Cisco itself) that are not controlled by the employer. That would bypass all your concerns about your employers seeing too much.

Community
  • 1
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks for the detailed answer. I really appreciate it. So I checked, on my Cisco AnyConnect client, the installed modules, it only showed VPN and Customer Experience Feedback, but there wasn't NVM (Network Visibility Module) which I believe is needed for Stealthwatch(optional plugin) to work? So does that mean that at most they can watch my traffic (which is OK for me) but not access my computer file system or take snapshots of it? – Ruben Bourtoutian Mar 19 '20 at 05:56
  • 1
    It's difficult for me to say specifically. I don't know that client well enough. If what you say is true, then they cannot monitor your system. – schroeder Mar 19 '20 at 07:14
  • "You can get clients from vendors […] that are not controlled by the employer. " – I think this is approaching the problem from the wrong end. Rather than installing a client that is not managed by the IT department on a PC that is also not managed by the IT department, the OP should simply get a PC that is managed by the IT department. At least in my country, the employer is responsible for providing adequate equipment for home office, which not only includes phone, computer, internet access, etc., but also chair, desk, and other furniture in compliance with worker's health regulations. – Jörg W Mittag Mar 19 '20 at 07:37
  • 1
    @JörgWMittag and that's one way to go. For BYOD, there are many strategies. – schroeder Mar 19 '20 at 07:38
  • @JörgWMittag well, they provided me a 15.6 inch laptop, but I really rather using my 2 screens and my keyboard and my mouse, without disconnecting them from my desktop and connecting them to their laptop. I'm just gonna take a leap of faith on this, with the info provided by schroeder and what I managed to gather up, it SEEMS that they truly cannot monitor my computer after all. – Ruben Bourtoutian Mar 19 '20 at 11:41
  • @RubenBourtoutian Honestly, sounds like you're solving the wrong problem then. Switching over monitors, keyboard and mouse is something you get really good at if you do it every day. – Mast Mar 19 '20 at 12:31
4

How can I know if split-tunneling is activated?

With the VPN enabled, open your web browser, and point your browser to www.whatismyip.com. What IP does it show that you are coming from? If it's the IP assigned to you by your ISP, then split-tunneling is enabled. If it's an IP on your company's network, then split tunneling is not enabled.

schroeder
  • 123,438
  • 55
  • 284
  • 319
mti2935
  • 19,868
  • 2
  • 45
  • 64