VPN & Remote Working - Computerphile
Вставка
- Опубліковано 24 бер 2020
- As we move towards a remote working culture, Dr Steve Bagley remotely connects to explain what VPN is & how it works.
/ computerphile
/ computer_phile
This video was filmed by Dr Steve Bagley and Sean Riley and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
7:40
i set up VPNs all the time at my previous job and always wondered why IPSec used TCP over UDP, but it never pertained directly to solving a problem so i never looked it up.
please count this as my vote for a followup video on UDP over TCP :)
I work as a 1st line technician at an MSP... All i have been doing the past week and a half is setting up VPN connections and remote access!
It is redundant to encapsulate twice with TCP. You get all the benefits that TCP provides by encapsulating with TCP just once. The second TCP encapsulation will just add an additional and unnecessary network overhead. Look it up for more details. HTH
pn
That makes sense, thanks for replying. I guess, then, the point of encapsulating in UDP just boils down to the speed advantage (no need for handshaking and error checking since you’re doing that post-decap anyway) and increased amount of data per packet thanks to smaller header size
@@OutrageousOctopus mee too!
KnuckleTips I had a joke about UDP, but you may not get it.
Can you do a series on the regular guests' bookshelves? Their favorite computer and non-computer books? I'm always interested in the background shelves in the videos.
He even has this paper on his iPad...
Amazing what you can do with a little bit of PostScript programming…
%!PS-Adobe-2.0
/w 1920 def
/h 1080 def
/step 10 def
/dvsn step 8 mul def
/margin 36 def
/gap 4 def
/biggap 24 def
/close 4 def
> setpagedevice
0 h translate
1 -1 scale
0.5 0.8 0.5 setrgbcolor
/y biggap def
{
0 1 close
{
0.25 setlinewidth
margin y moveto
1920 margin sub y lineto
stroke
/y y gap add def
} for
/y y biggap gap sub add def
y 1080 ge { exit } if
} loop
0.775 0.80 0.75 setrgbcolor
biggap 9 add 48 1080 biggap add
{
newpath
dup dup 18 exch moveto
18 exch 9 0 360 arc
dup w 18 sub exch moveto
w 18 sub exch 9 0 360 arc
fill
} for
showpage
@@DrSteveBagley Programming in PostScript? Kudos!
What is so special about this?
Brady is keeping all his dozens of channels alive from the comfort of his home
The first time I used a VPN to work from home and realized I could access all the network resources like drives, printers, and servers, I was blown away. Now they have apps for vpns. It's such a cool concept.
I loved this talk, it's funny hearing him trying so hard to not use too technical language to keep it accessible.
Clear, concise explanation. Thank you.
It really annoys me that most people these days think a VPN is just for tunnelling out your internet connection to hide your browsing....
....and send it directly to an unknown company, who cannot be trustet with your data (or as much as your isp for that matter)
I can't see any Problem there
I think we can blame that one on Nord VPN.
Count yourself lucky that they know what a VPN is at all. Would you rather be the head of IT having to explain to 1000 employees suddenly working from home what a VPN is as you frantically are issuing them all access credentials?
Ian Zamojc that has been my entire week...
@@IanZamojc I'd prefer they knew nothing over having misunderstood the idea completely "oh, for watching american netflix in europe!" easier teaching without some (wrong) presumptions already present.
This is the most stable camera work i have ever seen on computerphile
I always had the idea Dr. Bagley was a Doctor Who fan. Now I'm delighted to have that confirmed ;)
I thought all English nerds are Doctor Who fans.
@@IIARROWS Sadly, no. He's not a nerd either, he's a proper, respected academic.
@@gregf9160 IDK, in America respected academics are nerds. I suppose you designate them as "boffins". We have no such differentiation. Even "geek" has widened into nearly any enthusiast of anything.
Love that PDP 11 front panel.
Funny the quality of the mobile video, where all the adverts for video chats on mobiles are always shown as perfect with no buffering ever.
the connection must have been limited by something, I have never seen that bad video call
Very informative. Thank you.
Classic Dr Who and Star Trek box sets in the dining room? I approve 🍻
Would be interested in seeing you do a video on BeyondCorp!
On the next video would be nice if you spoke about layer 2 and layer 3 tunneling vpn. I think it would be interesting for a lots of people.
Even better, talk about the poor man's "vpn" solution: THE SSH DYNAMIC PORT FORWARDING
@@TheSam1902 Yes. absolutely. I have been using SSH all the time. Even SSH layer 2 tunneling on many many sites of my hobby link network project
@@TheSam1902 gotta love the power of SSH!
There are also virtual desktops that you can use. Your home PC becomes a "dumb" terminal running a client program connecting to a corporate virtualization server. A 2-factor authentication (RSA SecurID) is still used just like a VPN.
I'm at the same time relieved and disappointed, that the video hasn't at least partially been shot in vertical video format.
This would be a great begining of a materials regarding NETWORK PROTOCOLS. Forst VPN how it work but more specificly. Like 1 phase 2 phase etc etc. :)
Hi Steve, I'm an IT student in Upstate NY and we're taught the importance of using precise terminology. To that point, at 6:00 I believe you meant to say "Ethernet Frame," if I'm not mistaken. I also didn't quite understand your particular usage of "Ethernet Header" and wonder if "Frame" would again be the more appropriate term. Thanks for the video!
He used the correct terminology: Packet refers to the whole thing; Frame is just the particular section of the packet; Header is the starting contents of the frame. The ethernet header in this case would contain the checksum and Mac addresses.
So im guessing you guys are going to cover the different types of vpn.
such as pptp, sstp, l2tp, ipsec / ike.
as well as other remote access systems such as windows remote desktop protocol (and gateways), virtual network computing (and their gateways).
the diffrences, which is better for what application.
if so i can see you getting a lot more views, as you will have many technicians, engineers and the few manager who understood it, using the videos to get funding to implement them.
can you also explain in a video how ssh with port forwarding will be working for such a scenario? And under what conditions that is used for remote access rather than using VPNs?
Great explanation
Great video, can you address basic security concerns of using a personal cell phone as a wifi hotspot in a public environment.
reverse proxy is also a more flexible way to scale access to corp web resources securely (well, as long as you keep up with latest web security standards and have a per client machine certificate)
Although VPNs offer excellent solutions for securely connecting to remote networks, VPNs also introduce a risk:
At the office, the IT personnel are responsible for computer security.
They can enforce group policies, ensure that everyone is running company approved anti-virus software, etc.
At home, the company often has zero control over the computer being used to establish a VPN connection. That home computer could be compromised with a key-logger, etc.
For such a connection, the company should be purchasing the home system, and should be enforcing the same conditions on that computer, as though that computer was in the office.
When the employee parts ways with the company, then that home computer, which is company property, goes back to the company.
If a company allows you to connect to their VPN server, they better limit those connections only to work laptops, which they do have control over.
The place I worked at, basically gave everyone their own laptop, which they used both at home and at work. You come to work, connect it to extenal displays and peripherals, and use it like a normal desktop. Then at the end of the work day, you take it home with you. So there is no "office machine" / "home machine" distinction, it's just your work laptop.
That's the reason why the IT company where I work provide laptops to its employees. And as far as I know is common procedure for most big IT companies.
You either hand out laptops (if you're rich) or (if you're not that rich) you treat those home PCs as BYOD's - let them into a specific subnet and only open specific ports from there etc.
@@SMJSmoK With the upsurge of remote requirements like this, we had some large NFP's who couldn't exactly fork over dozens of laptops on the drop of a dime (plus availability right now is scarce). One possible solution we were theorizing was to deploy a standardized VM - essentially a domain-joined guest image that you do have full GPO control over. It mitigates many (but admittedly not all) of the concerns of the host system being compromised.
A fascinating topic no doubt
Please add a section on the use of personal devices to connect to corporate resources: risks and mitigation
Steve! Could you also cover services such as Teamviewer and Citrix, and also tunnelling through an SSH connection?
Second this. I never managed to figure out how to actually use UDP in applications
Next video should be about protein folding (A la Folding@Home)
Damn he has a complete book just on OSPF routing? Wow!!
I've measured the performance of VPN and ssh, and ssh is about 6 times faster than the vpn we use at work (at least in one direction), so all I use the vpn for is to setup an ssh tunnel from work to home, then I run the x2go remote desktop over ssh.
I assume you have some safe-guards, such as fail2ban, certificate authentication, etc., vs just having port 22 wide open with only password auth?
Can you do a video on Wireguard? its avery special piece of software.
Opens the video, sees Signal, clicks on like immediately
Are those Doctor Who DVD's in the background?
One quibble... Message Authentication Codes (not to be confused with the MAC in 'MAC address') are not digital signatures, though they do usually use hashes. MACs are what's used to make sure the messages are not modified in transit.
If you're using an HMAC however, you technically ARE signing it - signing the hash's integrity.
@@Demonslay335 - I consider a feature of a 'signature' to be non-repudiatable. This is not the case with HMAC. The recipient knows the HMAC key and could forge a message that appeared to be from you.
@@Omnifarious0 Ah, fair point. You're right then, as actually signing the HMAC (with an asynchronous key) would be separate.
@@Demonslay335 - Asymmetric you mean? 🙂
@@Omnifarious0 Heh, spell check.
Am I able to use a VPN so I can work out of the US temporarily? US system/connections might not recognize IP addresses from a different country
5:50 where did you come from, where did you go, where did you come from cotton eye joe
Somewhere in my parents' attic I have the same VHS box set of the Ice Warriors.
More videos!!!
Which app on the iPad did you use for drawings?
Thanks for the info, what software do you use on the IPAD to draw ?
The app on the iPad is called Procreate. I also used QuickTime on my Mac to record the screen as I drew.
Computerphile making history making a video at corona vius's times... awesome!!
Nice video duration time! ^^'
nice video length
Is there a way you can hide/disguise what you are sending through a VPN? You mentioned patters where it could determine if it's a video call or an http request.
Yes, you can send a constant data stream in both directions. The outside observer wouldn't see if it's dummy data or real data inside. However, all internet connections are sized for interlacing traffic from/to multiple sources. So multiple people hogging their maximum bandwidth constantly would clog the network quickly.
I'm not sure how you had a conversation about how VPN works and didn't talk about GRE or IPSec, but hey, I guess this was intended for a more general audience.
Be kind and turn off your webcam during your Zoom meetings while connected to your company's VPN.
And there was me believing that packets were encapsulated within frames and it was the frames that were sent out over a wire to other devices.
Too simple; needs part 2. Exl,ain why some vpn are safer than others. Not just pptp v openvpn, but also enormous variation in brands. Thanks!
now I NEED to know why it uses UDP!
Sweet home VPN,
Connect me to my stuff
Sweet home VPN...
I like the video because you’re explaining how a VPN works but I do wish you had spoken about the risk of giving a remote user network level access in a corporate use case. What if the user introduces malware into the network via VPN? VPN’s have had their day... time to move away from this type of approach for non admin users. Use a dual app proxy based architecture and improve the security posture and still prove access to private applications hosted in the dc.
He showed TCP packets wrapped in UDP. As far as I know, UDP sends packets without confirming their arrival, while TCP keeps trying until packets are confirmed to have reached their destination. There seems to be a conflict in that wrapping, if I understand correctly. How does it work?
By not conflicting. If you have 2 protocols that both think they are responsible for resending packets, throttling traffic and so on, things will be done multiple times. Imagine sitting in a bus where each single passenger thinks they have to hit the brakes to avoid collisions...
With no confirmation, it'd seem the TCP sender would hit some loop of trying to send some packets and failing unless the UDP sender somehow responds to those...
My guess: the one sending UDP just responds to the TCP sender with ACK and confirms "everything went fine" regardless of whether or not those UDP packets made it to their destination.
Video length is 13:37.
N1C3! ;)
Does my company need a VPN if all of our data is stored in the cloud?
Steve has a PDP-11 front panel on the shelf?
Little Star it’s a PiDP-11 replica - fund to make and build, uses a raspberry pi to emulate the pdp11
@@DrSteveBagley I have a nice collection of machines myself, including a real PDP 11/73 that dims the lights when I power it on.
@@rabidbigdog You want to get of hold of a PDP11/60 - nicest PDP DEC ever made - THAT needs 3 phase!! It has a MASSIVE three phase air blower (you can't really call it a fan)! BOY does that blow!!
Props for Bagpuss
Appears to have a PiDP-11 in his dining room on a shelf. I'm unsurprised 😂
A question we often get asked is "why have the vpn layer, lets just be on the internet and do everything there without the VPN". I dunno, kinda running out of answers on that, other than extra layer of identification.
That's really the better way of doing it, except that you've probably got things on your network that aren't sufficiently protected against attackers because they were designed and implemented with the expectation that everyone with access to the network isn't malicious. These things should be redesigned anyway, because there may be malware on people's computers at times that could attack your unprotected systems, but there are probably services on your network you haven't thought to redesign, like printers and scanners and video conference devices that just trust any device that can reach them.
@@iabervon I think that is "computer security" oversell. I don't think printer services are vulnerable to efforts to hijack video and audio, and there's already very simple measures to keep even specific print jobs from being hijacked. You have to separate possible vulnerabilities from actual real-world vulnerabilities, and even then prioritize. I'm not scared of Postscript viruses that only attack printers. Don't be the security expert who cries wolf.
what are those DVDs on his bookshelf?
me99771 Those are storage media .
is openVPN still the best option for most VPNs?
Personally, I'd use (and use) Wireguard and IPsec depending on the use case.
Star Trek, Doctor Who and Back to the Future... ah, I feel at home already :)
10:10 I'm a bit confused by this part, isn't that the definition of proxy? i.e. tunneling packets through a different IP?
What is the difference here?
Basically, when using a proxy, you are still operating on your real IP, but you hand off network traffic for a specific service over to another server to complete for you. With a VPN, system wide you operate under a totally different IP address, where everything you do on your network is totally encrypted to your ISP.
Both of these methods can mask your location to others, but a VPN is needed to protect your privacy.
A Proxy will redirect your web traffic while a VPN redirects AND encrypts your traffic. A VPN can also create a direct, encrypted tunnel to a host network, such as an internal network at some company or government organization, whereas a Proxy doesn't create direct tunnels to private networks. That's the simple answer.
A proxy doesn't even have to redirect packets if not necessary, that's what usually happens when you surf the internet from your workplace. It just let you go thru, if it's not on a black list.
A proxy is much faster and requires much less resources because it doesn't redirect unless you are looking for specific resources, and doesn't mask the communication. Your resource is going to respond using your IP, not the proxy's.
@@rich1051414 if using a proxy, I'm still operating on my real IP, why does it mask my location?
@@undead890 Does no encryption mean that proxy is insecure (for the traffic from sender to the proxy)?
What is the difference between proxy server and VPN server
Back in the late 1990s we were using PPP over SSH as kind of poor-man VPN. It's worse than the normal VPN, but it's simple to understand how it works.
6:04 A bit nitpicky, but Ethernet "packets" are called frames.
Yeah, and he kinda glossed over layer 1 :)
nice
Where is the caption??
What about DNS leaks?
Is this Computerphile or Applephile?! Every video there's some Apple product featured be it a Mac or iPad! 🤣
nice house
I still don't understand why you would go through all of this trouble, as opposed to just encrypting the data and sending it over tcp over ip. Why does it need to be wrapped up inside another packet like this. Couldn't students just access school data by connecting through a secure TCP line?
I wonder about the significance of the user having 4 arms
Thanks to the cloud I rarely have to use VPN anymore. 😊
ppl in the future will look back at videos from march 2020 and be like, what the f*ck is going on?
Wireguard gang rise up!!
This
Hi I need someone to help me on my program project. please.
you need learn hacking?
cyb3rpunk. No 😅. At least not yet 😎.
I need to ask an expert in c++ on a program problem
If you want learn hacking I teach you عبدالرحمن الغنام
cyb3rpunk
I would like that
Mäander
No I will check it out thank you
Perimeter security, what could possibly go wrong...
Hmm, nobody noticed the 13:37 duration...
13:38 for me, but yeah.
@@Phroggster
weird, i see 13:37; i wanna see a computerphile video about how that discrepancy could've occurred lol
Why do we use VPNs when we have HTTPS?
To access servers inside a firewall is why I use a VPN to work from home. It's like I'm actually hooked up to my company's internal network.
Basically for the same reason manufacturing companies put their machines into big buildings with access control on the doors instead of putting them out in the open and having a password on each machine's control panel.
So funny how the laptop class ;) thought most people could work from home
What has happened to me quite a lot is that I would connect to my workplace via VPN in the morning, and then forget to disconnect after end of work. Now my employer knows all the dirty sites I visit.
Please can i work remotly by using vpn if the service isnot available in my country
👌
Nerds doing what they are used to: Social Distancing 😁
?
The real problem is that the remote machine is probably the easiest path for a malicious third party to gain access to the corporate network.
Brexit teeth being contained by braces. Unusual. Well done!
omfg MS Teams 😵
The network isn't virtual... It's real! It is a virtual "private" network CABEL!!!
"virtual (privat network)". A private network is one that is not routable from the internet. Instead of using hardware, you're using software to define that network.
@@HenryLoenwind Nonsense. Regardless of the hardware, networks are always defined by software. Otherwise its just a bunch of wires.
1337
I've only ever used VPNs in that second way.
0:46 Why are you using Microsoft?
Aren't you scared of the Cortana virus?
not sure most people are working from home..... certainly not the hundreds of thousamds whos industrys have shut down
leet
It made me realize how echoey most ppls homes are... All those home videos XD SO MUCH ECHO
me:watches this video
also me: trying to hack into china's database
MR ROBOT THEME SONG INTENSIFIES
well, I suppose that's appropriate as Mr.Robot was very fake, giving only an occasional nod to actual computer security, while getting details all wrong. Also, I don't think all of China has a single database. You're welcome to try and break in!
It frustrates me so much, that the concept is so simple to understand, but people still are clueless.
How vague
Early gang anyone?
All Your Toilet Paper Are Belong To Us