2

I am currently working with a client in the healthcare sector. Part of the work will involve contact with sensitive patient health information (PHI). The client uses AWS and keeps their sensitive data inside of a Virtual Private Cloud.

It is required that I connect to a VPN Server to get access to their AWS services. They use OpenVPN client.

But they have the VPN configured so that when I'm connected to it, all of my internet traffic gets tunneled through the VPN server, not just the traffic bound for their network resources. This slows my internet connection down to about 1.5 Mbps down, which is not ideal.

I brought it up with them and they said "the security rules prevent anyone from any IP address except the VPN endpoint from getting any information about our instances.". But unless I'm missing something, that doesn't really answer my question.

Are there any real security advantages for them to set up their VPN this way?

Matt Alexander
  • 220
  • 2
  • 10
  • They could easily push specific routes for their infrastructure but it's their data they make the rules. – user9517 Nov 17 '17 at 06:24
  • 3
    This is how many companies run VPNs; they don't allow split-tunneling, which is a security risk. Most breaches are committed from the inside. In this case, inside is their network, not yours. Someone on their network could use your VPN connection to get out to the public Internet. HIPPA is very strict, and even a hint of a flaw will make the auditors scream for someone's head. The client probably has no control over the situation. – Ron Maupin Nov 17 '17 at 06:36

2 Answers2

7

You (basically) have two modes when connecting to a VPN:

  • full tunnelling: all traffic passes through the VPN tunnel; this is the setup your customer uses

  • split tunnelling : only the traffic destined to the remote network passes through the VPN, other traffic (internet) doesn't

There are two risks involved with split tunnelling:

1 - your internet connection can be compromised and an attacker can gain access to the remote network through your machine. You're connection may be secured, or not. The customer has no way to control the security of your internet connection, so they make sure you don't have access to the internet, apart from the connection they do control, while you are connected to their network.

2 - as explained by Ron Maupin in a comment, a user inside the remote network can bypass internal security to gain Internet access through your VPN connection. They may use this to browse dangerous sites or to export sensitive data.

As a side note, some VPN clients also perform custom checks on your machine, typically to see if there's anti-virus software and if it is up to date, prior to granting access to corporate resources.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
JFL
  • 2,006
  • 1
  • 11
  • 16
6

Personally, as a fellow consultant, if a client imposed this type of control on me while performing work for them I'd say "Yes, I understand. Thank you." and then I'd proceed to go about the business they hired me for. I'd save whatever non-pertinent internet browsing until I was on my own time and my own network. Hopefully you're asking this question as an academic exercise and not in an attempt to skirt their controls or to try and convince them that you think they're wrong.

If I'm not hired to implement, audit, or advise the client on their current security practices then it isn't any of my business as a consultant to question those practices or to try to avoid them.

As a consultant, it isn't my place to impose my will, opinions, or preferences on the client and it isn't my business to point out "everything they're doing wrong" unless that's part of my contracted engagement with the client. You're going to encounter a lot of scenarios with clients that leave you shaking your head or wondering why. The best thing to do is to keep your opinions to yourself and get on with the work they hired and are paying you for. Of course, it's also our duty to look out for the best interests of our clients so there may be times when you need to speak up about something, but this isn't one of those times.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thank you for your response, even if it is off topic. Firstly, I am being partially hired to look at their security. Secondly, the tunneling is bringing my 15 Mbps connection down to 2 Mbps, which concerns them -- they pay me by the hour. – Matt Alexander Nov 18 '17 at 08:37