Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 754 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it true that routers, like the Sophos XGS 87 decrypt the data stream on VPN connections?

Aleena Khan

I have a NordVPN account and the router at our office is Sophos XGS 87. According Sophos literature they do deep packet inspection on TLS 1.0 to 3.0 (HTTPS) connections.

It seems the router acts as a "man in the middle" so that it acquires the encryption key and then uses it to inspect all encrypted traffic.

I asked NordVPN if this would impact the session with their VPN service. Their only reply, on repeated requests, is that they use AES 256bit encryption for the connection but they don't say what encryption is used to make the connection or if Sophos router can pose as client?

My concern is that if the router can pose as the VPN client it will decrypt-inspect-encrypt all traffic passing through it. I am working outside office hours, which the company allows me to do on their network, but I value my privacy and security.

If my concern is valid, then is this true of all VPN services?



This thread was automatically locked due to age.
Parents
  • 0

    ADDED: Just read your sentence about the company's computer. I assume they admin it. They have very strong reasons for not allowing you to VPN through their network, ranging from security to liability for your actions. So they probably force your machine to trust their CA certificate and do the MitM, and then block any VPNs that they can detect. If you want privacy don't do things on your employer's network. You have no right to privacy there.

    ORIGINAL: The key thing is that a client and server can detect a man in the middle. Your browser, for example, uses TLS and will give you a warning if your XSG is doing DPI by doing a MitM. That's why you have to copy the XGS's certificate down to your computer and mark it as a trusted Certificate Authority certificate.

    So if you control your laptop as the admin, you will know if someone turned on TLS decryption on your XGS. If it's not your laptop, it doesn't really matter what happens on the XGS, the admin of your laptop can get access to your data before any encryption if they want.

    Even if you mark the XGS' CA certificate as trusted, the server at the far end can still detect that the certificate is not the one that is "pinned" in the client. If it wants: some servers like banks will do this check.

    This is using the HTTP-TLS-style certificate and authority mechanism, which allows creation of certificates by Certificate Authorities and can check for authorizations.

    You could also just generate a key on the server end and somehow get it to the client end and then encrypt your data with this key. No certificates, no certificate infrastructure, no authorities, just a key that you either know or don't know. In that case, there's no MitM possible unless your key has been compromised. There's no way for anyone to insinuate themselves into the middle. Similarly, public key encryption allows the client to use a public key and unless the encryption is cracked because of inherent weaknesses, etc, there's also no possibility of a MitM.

    So depending on how NordVPN encrypts its VPN, it's either impossible to MitM, or you can detect at either end that a MitM is happening and you either accept it or not. The question is: what mechanism is the VPN provider using and if it is a certificate-infrastructure mechanism like TLS do they detect MitM and stop the connection or not.

Reply
  • 0

    ADDED: Just read your sentence about the company's computer. I assume they admin it. They have very strong reasons for not allowing you to VPN through their network, ranging from security to liability for your actions. So they probably force your machine to trust their CA certificate and do the MitM, and then block any VPNs that they can detect. If you want privacy don't do things on your employer's network. You have no right to privacy there.

    ORIGINAL: The key thing is that a client and server can detect a man in the middle. Your browser, for example, uses TLS and will give you a warning if your XSG is doing DPI by doing a MitM. That's why you have to copy the XGS's certificate down to your computer and mark it as a trusted Certificate Authority certificate.

    So if you control your laptop as the admin, you will know if someone turned on TLS decryption on your XGS. If it's not your laptop, it doesn't really matter what happens on the XGS, the admin of your laptop can get access to your data before any encryption if they want.

    Even if you mark the XGS' CA certificate as trusted, the server at the far end can still detect that the certificate is not the one that is "pinned" in the client. If it wants: some servers like banks will do this check.

    This is using the HTTP-TLS-style certificate and authority mechanism, which allows creation of certificates by Certificate Authorities and can check for authorizations.

    You could also just generate a key on the server end and somehow get it to the client end and then encrypt your data with this key. No certificates, no certificate infrastructure, no authorities, just a key that you either know or don't know. In that case, there's no MitM possible unless your key has been compromised. There's no way for anyone to insinuate themselves into the middle. Similarly, public key encryption allows the client to use a public key and unless the encryption is cracked because of inherent weaknesses, etc, there's also no possibility of a MitM.

    So depending on how NordVPN encrypts its VPN, it's either impossible to MitM, or you can detect at either end that a MitM is happening and you either accept it or not. The question is: what mechanism is the VPN provider using and if it is a certificate-infrastructure mechanism like TLS do they detect MitM and stop the connection or not.

Children
No Data