the hotel that i am the building engineer (read that as a euphemism for maintenace) for offers complimentary high-speed internet access in the rooms. the goal is to court business travelers coming to the area. trouble is, our network does not allow VPN. tonight alone i had 3 seperate incidents where i was called to a room to help a guest who was having trouble with his internet. all 3 needed to establish a VPN with their home office. i had to explain that there was nothing i could do about it, which really pissed them all off. i cant blame them, if i chose a hotel specifically because it offered high-speed internet i'd be pissed if i couldnt do the one thing that i actually needed it for.

this is a recurring problem here, and i've brought it to the general manager 3 times. each time, she claimed that allowing people to establish VPNs opens up a huge vulnerability in our network. im not sure i buy this for two reasons:
one - she hasnt got a clue about anything remotely computer related exept MS word to write her her visciously worded memos to employees. i dont know how she determined that this would completely destroy the network's security
two - if this presents such gaping security holes, why is it becoming the prefered way for businesses to connect?

so i ask those people here who know more about networking than i do:
is this a big issue if we allow guests to establish VPNs? can this cause major security issues? or is my GM just being her typical "ive got better things to worry about" self?

This probably should not be a big issue. My guess is that she does not know how to configure the building router to allow transport of the VPN traffic.

can this cause major security issues?

No. Exactly how and where are these VPN connections being blocked? Could it be that your upstream ISP has banned VPN connections on the particular connection-type they sold you (with or without bullshitting your GM as to why)?

Peter

Or maybe it's not so much that the VPN itself would be the security risk, rather, it's the necessary reconfiguration of the router that would cause additional security risks not directly related to the VPN. Depending on the type of router and firewall systems they have in place, it's possible that allowing VPN traffic would require them to disable other protective features.

But if she's just worried about the VPN traffic, the truth is that the company at the other end of the line is at greater risk than the hotel's network.

I'm going to take a guess here that the hotel is using NAT which usually breaks VPNs. I doubt very much that the hotel chain has a large enough block of IP addresses to provide one to every user.

That being said, the manager is incompetant. To dismiss the option with that excuse suggests that either she doesn't have the faintest clue what she is talking about, or that the hotel has a real security problem begin with. The guests network should on a DMZ, and not combined with the hotel's systems network.

What bugs me is when ssh access is disabled. I stayed at a hotel in Singapore that did this. (Of course this same hotel sold their net access by the day and used windows domain logons and their own web proxy to lock it down to those who had paid. It only worked because most people wouldn't try bypassing the proxy)

I'm going to take a guess here that the hotel is using NAT which usually breaks VPNs. I doubt very much that the hotel chain has a large enough block of IP addresses to provide one to every user.

Virtually every SOHO router I used in last two years supported VPN (PPTP) through NAT out of the box (with telnet, ssh, ftp, X, assorted IMs as well as various Win protocols tunnelling without a hitch). Actually, the only one that didn't was an old Compaq-branded repackaged piece of garbage that was otherwise very flaky, too.

so i ask those people here who know more about networking than i do:
is this a big issue if we allow guests to establish VPNs? can this cause major security issues? or is my GM just being her typical "ive got better things to worry about" self?

Since no one else will, I'll play the role of Paranoid Computer Guy...

Your complementary room network connections probably don't have any internal protection between computers set up on the local network (which would have been the easy/lazy/default way to do it). This allows computers behind the firewall to communicate with each other (and would be especially dangerous if your hotel network shares the same local network). Allowing a VPN connection would bypass any stateful scanning firewall or proxy server, and would allow dangerous files behind the firewall and thus to have access to any other machines on the same local network. Of course, people can also bring dangerous files in with them on their hard drive - see the Welchia worm.

If everyone, or at least all guests, share a common network segment with full IP connectivity between machines, I can fully understand the manager's reluctance to allow VPNs. A better solution is to make sure (through vlans, perhaps) guest computers are isolated from each other and from the hotel machines, so you could give them access to anything they wanted without fear of liability.

-jk

But, as you say, VPNs are just one of many ways that a computer on that network could get something nasty to distribute. Do you think that hotels have realtime virus scanning of their network data? I don't, but I could be wrong.

Do you think that hotels have realtime virus scanning of their network data? I don't, but I could be wrong.

I know that many of the hotels we've worked with have stateful inspection at the firewall as well as isolating customers. We have to work closely with them to set up a vlan on premises when we need one, and their tech people are frequently not very well trained.

I must add that the hotels we use are mostly geared towards the business traveler and meeting industry, so I don't know how this applies to other properties.

-jk

Virtually every SOHO router I used in last two years supported VPN (PPTP) through NAT out of the box

Sorry, but I consider PPTP to be a VN, not a VPN.

Does IPSec still not work through NAT? I haven't kept track.

Does IPSec still not work through NAT? I haven't kept track

Cisco can. Not sure about others though.

Sorry, but I consider PPTP to be a VN, not a VPN.

It might very well be so, but I bet that 19 out of 20 of those guests want to connect to their corporate networks using whatever 'Connection Wizard' on their Windows offers them, whether we call it private or not.

(BTW, your comment prompted me to look a bit around. According to this paper by Bruce Schneier of Counterpane, the one vulnerability left in the second iteration of MS PPTP is the fact that all keys are still derived from potentially weak password, making the whole affair vulnerable to brute-force offline password-guessing attack. Sigh, I remember when crypt() hash was considered adequate protection of passwords on Unix.... )

knowing what type of router you have would be of great benefit.

Probably the only thing which will change her mind is a sound business case & consultation with experts. Unless it's threatening your job security, and it might be the way things are going, it may not be your problem.
The hotel must have some familiarity with your ISP so you might be able to get them to help as the experts.

I've helped many clients set up and maintain a VPN through various devices but i unfortunately don't have much experience in the adminstration/security departments for them. I wouldn't have thought that a VPN would be a threat to your network any more than allowing clients to connect to it for internet access, other than the configuration of a few ports on the router.
Presumably you have all the common file sharing ports turned off and only allow traffic between the rooms and the internet not between rooms.

I'm sure if you were able to get more information we could help you develop this idea, if you wanted.

I wouldn't have thought that a VPN would be a threat to your network any more than allowing clients to connect to it for internet access, other than the configuration of a few ports on the router.

If you have a stateful firewall and proxy server, general internet connections are screened before traffic enters the protected LAN. If you allow VPN tunnels, harmful traffic can come into the LAN without being screened.

Before allowing VPN tunnels (or any encrypted, hence unscreened, tunnel), guest computers should be isolated from each other so that harmful content is isolated to the individual's computer. And when that guest's computer gets hosed through his tunnel, it's not the hotel's problem!

-jk

One thing that this discussion has made me realize...

If I ever bring a laptop to a hotel with ethernet, I'm bringing a NAT router/firewall box along too, to isolate me from the rest of that LAN.

If I ever bring a laptop to a hotel with ethernet, I'm bringing a NAT router/firewall box along too, to isolate me from the rest of that LAN.

You're probably fine with Zone Alarm and a current AV program. I already haul way too much stuff around when I travel.

Of course, if everyone used Zone Alarm and a current AV program (or if Microsoft built a decent OS), we wouldn't need this discussion.

-jk

Of course, if everyone used Zone Alarm and a current AV program (or if Microsoft built a decent OS), we wouldn't need this discussion.

People who used BlackIce thought they were safe....

Gareth

People who used BlackIce thought they were safe

Please clarify which specific blackice exploit you're talking about. I know of two past ones that have long since been patched. Are there recent ones that I don't know about?

Reason I ask is that we depend on BlackIce for two of our web servers and I like to keep up to date.

The ICQ parsing exploit for BlackICE and RealSecure products used by the Witty worm, which I presume you survived! I don't use it but it was a pretty scary worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html

Gareth

Ah, thanks. Yup, the ICQ thing with the witty worm was the second of the two exploits I knew about.

I researched it and discovered that the only way to get infected is if you're actually communicating with ICQ traffic via that port, and BlackIce is using its ICQ-specific filter to scan the contents of that traffic. Since the ICQ ports are locked out on the servers in question and there is no ICQ traffic getting in or out, we were never at risk even when unpatched.

It did give me a moment's panic when I first read about it, though.