Employer VPNs, what are your legal, technical rights?

In your job contract what does it say about provision of IT equipment?

Personally I would be expecting them to supply it, when your machine goes tits up who do they expect to pay for repair/replacement?

You also need to check the T&Cs of your internet service provider as the vast majority only provide a basic service to residential properties which is not for business use.
 

Sarastro

LE
Kit Reviewer
Book Reviewer
You also need to check the T&Cs of your internet service provider as the vast majority only provide a basic service to residential properties which is not for business use.
I mean, really. In a theoretical world this might be true, but in the actual world we are living in, this is bollocks. Is anyone afraid of breaching some company's T&C's? What exactly is the threat or cost? What consequences are they actually able to impose (forcing you to become someone else's customer) or likely to impose (which they never do)?

Hands up anyone who has a) read all the T&Cs you have ever signed up to, or b) given even the smallest shit about abiding by those 'banned' actions which you can get away with consequence-free.
 

NSP

LE
All the information we received was a brief email from IT providing the technicalities of configuring my computer changing the settings etc, including the installation of a regedit.

I am more than happy to work this way if the company provides a dedicated device but I am extremely uncomfortable with the geeks and misfits in our IT department having access to my personal family computer.
Your employer should have a detailed IT policy. Ask for a copy.
 
I mean, really. In a theoretical world this might be true, but in the actual world we are living in, this is bollocks. Is anyone afraid of breaching some company's T&C's? What exactly is the threat or cost? What consequences are they actually able to impose (forcing you to become someone else's customer) or likely to impose (which they never do)?

Hands up anyone who has a) read all the T&Cs you have ever signed up to, or b) given even the smallest shit about abiding by those 'banned' actions which you can get away with consequence-free.
Even though the ISPs turn a blind eye to it but it is still part of their T&Cs. If you wanted to be really pedantic with an employer who is being a bit of a cock you could legally insist they provide an internet service for you as you're in breach of your own ISP T&Cs.

I know in the real world no one gives a shit but employers have been taking the piss for a long time. How many people have factored in cost of charging up mobile work devices at home? Additional wear and tear on personal items such as computer chairs and desks? Additional heating/power/water costs of working from home?

Yes there is also the reverse of less money spent commuting etc but often this can be claimed as business mileage.
 
Your employer should have a detailed IT policy. Ask for a copy.
Thanks to everyone who has contributed their experience and knowledge, as I have said before when you want to get useful information provided free of charge and without pre-set agendas this is the place to come to.

First of all the company isn't a large one and doesn't have the HR or legal staff that some of you working in large, western companies are used to. There has been a certain degree of flying by the seat of our pants in relation to working from home over the past year and a half. In fairness the setting up of the VPN is a somewhat late reaction to the realisation that with most staff working on their own devices from home they needed to beef up security substantially.

They are using an off-the-shelf program called MikroTik and having seen videos on YouTube I can see what they can access and what they can't. I am not thrilled about what I see as an imposition by my employer on my personal and family space (for instance while I am working my kids will not be able to download movies etc) but accept the necessity for the move.

However, as you all rightly point out, if this is how it's going to be the company has an obligation to provide the device, other issues concerning maintenance, and my own security if the company gets hacked need now to be addressed and I will be in touch with the HRD, such as it is.

Thanks again for the huge input and technical advice, it set me in good stead when I discussed the matter with the IT team, who frankly seemed to regard me as some sort of weirdo concerned about silly issues like personal privacy, as one of them said "you trust those hackers in Google mate, how come you got a problem with me?" Which pretty much defined the problem I had with him.
 

Sarastro

LE
Kit Reviewer
Book Reviewer
They are using an off-the-shelf program called MikroTik and having seen videos on YouTube I can see what they can access and what they can't. I am not thrilled about what I see as an imposition by my employer on my personal and family space (for instance while I am working my kids will not be able to download movies etc) but accept the necessity for the move.
MikroTik isn't a software program, it's a network hardware equipment provider. I use their kit quite a lot. That suggests to me that they are setting up a hardware VPN, and requiring you to alter your router / laptop in order to conform to the hardware settings.

This is a much less supportable way of implementing it than a software VPN, which by its nature is going to be managed within the security framework of your operating system, therefore will be limited in what it can actually do without alerting you. A hardware VPN also going to be much harder to turn off, so more likely to be "always on". For a software VPN, you can just close the app.

I would not do this on a personal computer. The differentiation here isn't about a VPN per se, but about the type of VPN and the intrusiveness of what they are asking you to do on your own kit.

Basically - your IT team seem to have landed on a solution for a permanent connection VPN, when what they actually should be aiming for is a temporary VPN that can be easily toggled when you are working, or using the laptop as a personal device. This is poor IT design or understanding on their part.
 

Sarastro

LE
Kit Reviewer
Book Reviewer
That is the URL - part of the HTTP request (specifically the HTTP 1.1 / <domain> GET <page> request). Nothing to do with the IP address used.
If you look into the detail, they describe how following the initial connection the entire exchange is encrypted. So yes, if the initial connection or DNS lookup is insecure, the IP address can be discerned, but not from an established HTTPS session.

Really go test it out yourself with wireshark, just plug it into your switch / router and have a look at your https traffic. If you can ID the destination IP, just post the capture, I'd be genuinely interested.

EDIT: I do understand what you are saying about packets, but the reality is that with various protocols like SSL, or indeed VPNs, packets do not always work (or are tunnelled / shelled / encrypted) in exactly the way Packet Switching 101 teaches.
 
Not to mention if you have kids and your employer is able to access your webcam etc (as one friend who works for a bank told me - he runs the IT services for a bank and they are able to monitor employees through their webcams etc), then that's really not on.

I'm really, really struggling to believe that.
 
If you look into the detail, they describe how following the initial connection the entire exchange is encrypted. So yes, if the initial connection or DNS lookup is insecure, the IP address can be discerned, but not from an established HTTPS session.
I'll say it again, that is not how TCP/IP works. The IP header contains the IP addresses.
 
Hands up anyone who has a) read all the T&Cs you have ever signed up to, or b) given even the smallest shit about abiding by those 'banned' actions which you can get away with consequence-free.
Maj Gen Welsh.... ?
 

Sarastro

LE
Kit Reviewer
Book Reviewer
Another thing to consider is what happens when and if you part ways with your employer for whatever reason. Could you completely trust them not to at least try and access your computer after you've finished working for them, particularly you parted ways under acromonious circumstances?

One thing that I learned in a long working career is to trust absolutely no-body...ever.
 

Get 'Networking For Dummies, 12th Edition' ($18.00 value) for FREE​

 

Quartz

Clanker
I recently received an email from my employer's IT team, attached was seven pages of instructions telling me how to configure my computer so that I run through the company's VPN while working.

Speaking as someone who was a civvie IT guy in the defence sector (Messybeast) and is now retired I will echo the others in saying that you want a dedicated work device (laptop, desktop, or tablet). Further, you want to isolate the device from your other devices so make sure it is on its own VLAN.

The structure of the operating systems means your Personal User account will not be visible to the Work User account. Organise your drives so they are specific to a user account, and whatever data you have on your personal drive will also not be visible to your work account.

I would not trust this. It only takes one lapse.
 

Sarastro

LE
Kit Reviewer
Book Reviewer
I would not trust this. It only takes one lapse.
Yes, that was mostly advice for a software VPN, not a hardware one.
 

Latest Threads

Top