Is there a hardware appliance that can see VPN packet payloads?

My IT staff at work claims they have a hardware appliance that can see the payload of a packet that has been encrypted using a VPN. I was told this only works if the connection was established on a work PC on the work network. They claim this works on SSL/TLS as well. Has anyone heard about something such as this and could you provide links to documentation? I am concerned that they may be simply using scare tactics. Because if that was true, why would anyone use a VPN if the supplier of the network could see whatever you were doing anyway? The purpose of a VPN, I thought, was to completely secure your connection and tunnel into another network.

japtain.cack

Posted 2015-10-16T20:53:17.233

Reputation: 21

Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research. – Moses – 2015-10-16T21:06:19.720

2Until you see proof, its not likely. – Keltari – 2015-10-16T21:11:00.160

1@Moses: How even is this "seeking for product recommendation"? – user1686 – 2015-10-16T23:03:12.680

I'm not seeking a product recommendation. I am simply asking if it's possible, and if so, how. If a product were to show up, so be it. – japtain.cack – 2015-10-17T12:04:14.643

@Keltari I remember a few years ago someone saying something very similar to 'until you see proof, its unlikely' while talking about the scope of NSA et al. snooping. If you make the presumption that something is possible, you're far more likely to protect yourself against it. – Michael B – 2015-10-17T17:39:30.953

Answers

If you do anything on any machine that is controlled by someone else, then you can presume that all traffic that comes and goes from it can be intercepted. It is a trivial matter to insert a monitor into the network stack that will see the plaintext of all communications.

This isn't a weakness in VPN it is a weakness in not having a controlled environment (i.e. not controlled by you) If you used a PC owned by you on that network, then it would be impossible to intercept traffic inside a VPN

Michael B

Posted 2015-10-16T20:53:17.233

Reputation: 714

This is basically what I was being told. However they told me that they could take the key that was use to establish the secure connection from my machine and use that to decrypt all any communication that used that key. – japtain.cack – 2015-10-17T12:23:42.490

It is impossible to communicate securely from a compromised system. A computer owned by another party is compromised in regards to your security. It is possible that a pre-shared key / certificate could be taken from the machine - since they own the machine they have debug permission so could read it directly from memory - With the preshared key, you can compromise all subsequent keys, so yes it is theoretically possible. I haven't witnessed any device that does so (but would be curious to hear about!) – Michael B – 2015-10-17T17:35:43.283

If they have installed their own trusted root certificate on your machine, then yes, they can intercept your VPN/TLS traffic.

Is it your machine, or theirs? Do you see your company's certificate in the list of trusted root certs on your machine? http://rogerkar.blogspot.ca/2009/03/how-to-view-all-trusted-root.html

Neil McGuigan

Posted 2015-10-16T20:53:17.233

Reputation: 339

It is their machine. They do have a root certificate, but that wouldn't affect, for example, an encrypted chat client or a personal VPN would it? – japtain.cack – 2015-10-22T19:20:55.467

@Jedimaster0 of course it would. This can easily be done with an SSL proxy like Charles: http://www.charlesproxy.com/documentation/proxying/ssl-proxying/

– Neil McGuigan – 2015-10-22T19:42:48.903

Mind = blown. Thanks. I'm sure that's exactly what they are using. Maybe not the exact product, but the technology at least. – japtain.cack – 2015-10-23T00:50:00.797