Secure Tunnel - How is it Working?

OK, I'm missing something?

I purchased a VPN router (Netgear FVS318v3) thinking I would need to establish a VPN link to it to be able to securely communicate through my firewall to Indigo and Phlink. I purposely did not want to use the less secure VPN alternatives that come with Mac OSX (PPTP, L2TP).

When I recently tried the Prism Reflector I was, therefore, surprised that it actually worked fine through the closed firewall. What type of connection / tunnel is being established that doesn't show up on my router? What level of security is used? How Indigo is establishing a secure link without the VPN router knowing??

Jim

I believe the connection gets initiated by the machine inside your network, so you don't need to open a hole in your router. This is how things like iChat connect to remote services through your network.

Using the VPN router, you wouldn't need to use the Prism reflector. You can connect right through your VPN to the server.

As far as software, I have gotten IPSecuritas to connect into the Netgear VPN hardware. I don't know how much more secure that is than the OSX alternatives though. I do know the FVS318's can be a bit finicky though needing regular reboots.

I have connected directly from outside, using VPN tracker, to my Netgear and then to Indigo, but hadn't realized that the Prism Reflector would work through the firewall. The VPN connection with tis method is VERY secure, using high encryption of all aspects of the connection, not just the data.

I'd still like to know what type of tunnel the Prism Reflector establishes.

[matt (support)]

bjojade is correct in how IndigoServer gets around firewall/router issues -- IndigoServer itself establishes a connection (128-bit encrypted SSH tunnel) with our hosted server.

You can then access the Indigo web server through this SSH tunnel by connecting to our hosted server (goprism.com). That connection (to the hosted server) can be encrypted or not encrypted depending on if you use HTTPS or HTTP in the URL. We call these connections reflectors since you are using our hosted server to relay a connection to the web server running on your Mac at home.

The actual browser authentication occurs on your IndigoServer Mac using whatever password you defined inside the Start Local Server dialog. GoPrism.com never even knows what that password is. I'd say it is pretty secure, presuming you have chosen a good, strong password.

The GoPrism.com reflector service is definitely geared towards those that have a dynamic IP address, or difficulty setting up their router and firewall to get it working. I'm a pretty technical person, but I decided to create GoPrism.com after struggling to setup remote Indigo access for my Dad. Depending on the network topology (throw a Vonage adapter and AirPort in there after the DSL router), it can be pretty darn difficult. I figure if I spent an hour+ on it, then I sure didn't want to have to try to walk customers through how to do it, especially given the different topologies they can use and how every router calls port forwarding something different.

GoPrism.com is still in beta and is still free. It will be officially launched here soon, at which point we will charge an annual fee for the reflector service.

Regards,
Matt

also: this info may help clarify the vpn vagaries, and that is that the vpn tunnels established by the fvs318 and many other soho vpn/routers is IPSec, a transport layer protocol, and https/SSL is application layer.

there are pros and cons for each, and SSL can itself run 'inside' IPSec, although that's somewhat redundant.

fwiw.

myself, i've had too many issues with the netgears to deal anymore, not to mention the 30 policy limit on port routing which really hamstrings me... i think they're basically pretty good, and i've had a few of the 318's, on v3 now which is the only one to bother with. i've tried out a watchguard router (x55e) which had bum firmware (for some reason??) and the company is taking too long to issue an rma... so i'm moving to juniper (ssg 5)... tired of playing around with toys. this oughta work very well, a little more money than i wanted to spend, but you can get good deals on ebay... if you're in any way needing a real vpn connection to your servers, for your business or whathaveyou, and the ablility to flexibly control pat/nat... i'd consider moving away from netgear. more 2¢.

My understanding of what is implied by application layer vs. transport layer is only cursory.

I do understand that using good VPN software (VPN Tracker seems to have the latest security protocols) all traffic between the two computers is secure, and the remote computer acts as if it were inside the firewall on my home network. This implies to me that someone would need to be able to hack my firewall to be able to hack my VPN connection and get access to my home network computers (not likely). I agree that setting up and routinely using VPN software can be a pain.

What isn't clear to me is whether hacking my SSL connection through GoPrism (it seems that even with well chosen usernames and passwords this is at least possible), allows someone access to my entire network, or would only allow them access to Indigo (not great, but not access to all of my home network computers).

Jim

[matt (support)]

What isn't clear to me is whether hacking my SSL connection through GoPrism (it seems that even with well chosen usernames and passwords this is at least possible), allows someone access to my entire network, or would only allow them access to Indigo (not great, but not access to all of my home network computers).

The secure tunnel that is created between the Indigo Server and our hosted server is pretty strong, and the tunnel only sends traffic to the specific TCP port used by your IndigoWebServer. This is all done using SSH, which most consider to be a robust and secure tunneling process. Hacking into the IndigoWebServer, if you have chosen a strong password, should be pretty difficult (ex: a strong password is all that protects online access to bank accounts).

That said, the only way to make any computer 100% secure is to lock it in a closet and unplug everything. The goal should be to make it difficult enough to hack into that the expense/time required isn't worth the effort.

Regards,
Matt