F.A.Q.

Mike works for Company X. He enters www.SearchAll.com into the Firefox browser running on his desktop PC. A domain name server resolves www.SearchAll.com to 216.58.196.132. The page request is forwarded to the Company X gateway router which is connected to the public internet. The transmission contains the source IP currently allocated to Mike’s PC, 192.168.1.73. The gateway router has a public IP address of 203.36.148.8. The gateway router substitutes 203.36.148.8 instead of 192.168.1.73 as the source IP address, allocates the transmission a unique port number, stores the mapping in a lookup table and forwards the requests to SearchAll on 216.58.196.132. This process is called network address translation (NAT). Each individual transmission from Mike’s PC to the SearchAll router is identified by the IP address and port number mappings in the lookup table.

The SearchAll router accepts the request from 203.36.148.8 and forwards the request to an internal web server at 192.168.3.22 using NAT. The web server returns the web page to the SearchAll router which substitutes 216.58.196.132 for 192.168.3.2 using NAT and then sends the page back to the Company X Router at 203.36.148.8. The Company X router forwards the page to Mike’s PC on 192.168.1.73 using NAT and the lookup table.

The SearchAll Router sees the IP address of the Company X router but never sees the IP address of the sending PC.

VPN Obfuscation In Action.

Install a VPN client.

Mike sits in a strategically positioned corner desk with his back to the wall. He wants to watch MyTube videos at work but the site is blocked by the corporate firewall. Mike signs up with a commercial VPN provider, X-Net and downloads and installs the X-Net VPN client application on his PC. Mike launches the X-Net application which sends a connection request from the private address of the PC, 192.168.1.73, to the public IP address of the X-NET VPN router on 104.18.229.229. The request passes through the Company X router which converts the source address from 192.168.1.73 to its own IP address of 203.36.148.8 and forwards the request on to the X-NET VPN router on 104.18.229.229.

The X-NET router replies to the request and an encrypted channel is created between Mark’s PC and the X-NET VPN router. All network traffic from Mark’s PC to the X-NET VPN router is encrypted except for the metadata.

Mike enters the www.MyTube.com web address in his Firefox browser and starts watching videos. The MyTube router is located at 216.58.200.110. The X-Net VPN client uses an IPSEC encapsulating protocal called Encapsulating Security Payload to encrypt the packets in the MyTube network stream work and create a new packet header with the source address set to 192.168.1.73 and the destination address set to 104.18.229.229. The destination IP of the MyTube router, 216.58.200.110, is encrypted along with the packet information. Only the medata including the source IP 192.168.1.73 and the intermediate destination IP address 104.18.229.229 is exposed on the first hop between Mike’s PC and the Company X router.

The X-NET VPN router modifies the packet header and forwards requests to MyTube using its own IP address as the source IP address and 216.58.200.110 (decrypted) as the destination address. Traffic between the X-NET VPN router and the MyTube router is not encrypted.

What can the Conpany X network administrator see?

June is a network administrator monitoring network connections on the Company X Router (203.36.148.8) between PCs in Company X and external networks. June can see that there is a session established between the X-NET VPN router on 104.18.229.229 and Mike’s PC on 192.168.1.73. June cannot detect the MyTube traffic because all the application data flowing between Mike’s PC and the VPN is encrypted. The destination IP address of the MyTube router is also encrypted. June has no access to the X-NET VPN router and cannot examine the logs. Furthermore, X-Net has a no logs policy and cannot provide network traffic logs even on request.

June has a friend Mary who just happens to work as a network administrator for MyTube. June rings Mary and asks if she can see any network traffic from 104.18.229.229, the X-NET VPN router. Mary confirms that she can see several network sessions coming into the MyTube router from the X-NET VPN but she has no way of identifying which session if any belongs to Mike because all the IP addresses belong to X-NET rather than Company X.

What about Personally Identifiable Information (PII)?

Mike decides to log into MyTube using his SearchAll Account. Mike fails to notice that the login page is unencrypted. Mike’s userid and password are transmitted across the encrypted link between his PC and the VPN router and then in clear text between the VPN router and the MyTube router. June cannot see the userid and password on her side of the VPN router but Mary can see Mike’s userid and password in clear text as the data exits the VPN router unencrypted and transmits to the MyTube router. Mary can now associate Mike with one of the network sessions connected to MyTube.

Mike needs to ensure that all personally identifying information transmitted from his PC to the public internet is end to end encrypted by configuring his web browser to generate a warning when he lands on an insecure page i.e. a web page not using HTTPS.

What about correlation analysis?

Correlation analysis is the is the use of date, time and event information to identify users on a network.

The MyTube application records all login attempts and other information such as videos viewed. Mary can see the date and time of every MyTube user session and a log of user viewing habits. Mike gave his mobile phone number and personal email address to SearchAll when he set up his account. SearchAll owns MyTube. June gets Mike’s mobile phone number and personal email address from HR and passes them on to Mary who uses the information to retrieve Mike’s login records and viewing habits. The dates and times correlate to dates and times when Mike was in the office at Company-X. Mike is busted.

A VPN will not preserve Mike’s anonymity if he logs into a web based service and (1) he sends PII over an unencrypted link betweent the VPN router and the destination router, (2) his activities are logged by that service, (3) his account details identify him and (4) the owners of the service respond to requests for information. The other weak point is the X-NET VPN router. Network traffic is not logged but the network address translation tables are held in memory. In theory, a hacker could install a network sniffer on the X-NET VPN router and read the unencrypted metadata which includes the source IP addresses and possibly the translation tables which are held in memory. In this case, the Company-X router would be identified as the source IP for MyTube traffic. The hackers could then target the Company-X router to extract the source IP of Mike’s PC.