Security of servers

[alibaba999xxx1 0]

There are multiple vectors when talking about server security (location, adequate setup, physical security etc, etc), but namely I'm interested if I'm connected to an AirVPN server, there is some firewall solution in place from the server side, right?

 

* Each server is behind a firewall?, what kind of a solution is it, what rules are in place, how it will harden the protocol?

 

* Users can open up a port in Client Area on your website, does it mean each user can modify the firewall rules according to his wishes (how does it technically work - I open up a port, firewall rules are modified accordingly to me individually?)

 

* Do I share my IP with other users within a server? How are we securely separated in this case?

 

I'd be very grateful for the answers, in general I'm concerned if I'd have to put some concrete firewall rules in place within my PC too or the servers' firewall rules will do the job.

[LZ1 672]

Hello!

 

You should always try your best to secure your own PC, since if your PC is compromised, Air can't help you. Air also doesn't attempt to secure people's PCs as such either, so even if they had all the bells and whistles (and I have no reason to think they don't), they focus on securing your connection. But there's so many ways to mess up: pre-installed bloatware, hardware issues, browser weaknesses and silly behavior on the users part .

 

Air does use shared IPs, a long with separate entry and exit IPs (to guard against timing attacks I believe).

 

I don't know what software/hardware Air uses, but according to all that I've read, they're quite meticulous when it comes to choosing server location & handling security.

 

If you do use a firewall yourself though, just make sure that:

 

AirVPN, openvpn.exe and pings to Airs servers aren't blocked :]. We have some excellent pfSense guides around here which you should perhaps look into.

[alibaba999xxx1 0]

Thank you LZ1 for your input, though it does not answer to my question; obviously users should do all possible to secure their PCs according to their risk analysis etc, but I'm interested about the security of servers.

 

To elaborate by using an example (VPN providers often advertise their product so that using VPN secures users' data when connected to an open wireless network).

 

Example 1. I am connected to an open (let's say hotel's) WIFI with a bunch of other users. Very bad situation indeed, potentially my communications could be eavesdropped.

 

Example 2. I am connected to an AirVPN server using the same hotel's open WIFI. I am connected with some other users to AirVPN and shared IP is used.

 

On the second case my connection to server is encrypted yes, but server-side security is also extremely important (to where am I connected to). That's why my question about the firewalling and possibly about other technologies used to harden the server and protect VPN users more thoroughly.

[zhang888 1066]

OpenVPN is a good example of software that is secure by default. In order to make it less secure, one has to

add explicit directives that will allow certain insecure behaviour.

 

Client to client traffic is prohibited on the server, but can be possible with OpenVPN by adding the "client-to-client"

directive on the server config file. This is a useful feature for private and corporate VPNs, but not for a public VPN

service where users have no reasons to exchange in-tunnel traffic.

[LZ1 672]

Indeed it doesn't, but it's just to remind everyone that Air can't secure ones PC . The last line of your OP also made me wonder if this was unclear to you or not, simply. Air takes security super seriously though - this they've proven in their lightning fast responses, to anything security related. I don't know their hardware setup, but perhaps you could submit a support ticket if you don't get satisfactory answers here. Regardless of the features in place however, trust in the provider is still paramount, as they could easily alter any configuration they made known to you, were they malicious in some manner; provided you don't take other measures to enact partition of trust.

[me.moo@posteo.me 80]

As far as I know there is no what you might call traditional PC style firewall software used for your connection to the outside world. It is a good question though; I think this is a gray area for many

 

Sent from my SM-G900F using Tapatalk

[alibaba999xxx1 0]

 

I think many users are obsessed about whether the VPN provider keeps logs, gives any information to authorities on request etc, but one major question is overlooked and it’s very surprising: when I connect to a VPN, to where am I connecting actually → what’s the network infrastructure like, are dedicated people working on the server (network) side, which hardening steps (if any) have been taken.

 

Some providers claim they put their servers behind a corporate class firewall (better than nothing), but I assume in case of several other providers there are critical errors with their whole infrastructure. I’m talking about providers in general, not about Air, but would like to get some basic knowledge of course if Air’s setup is secure enough even on the most basic level.

[serenacat 83]

It would also be interesting to follow around the people transferring cash from banks to armored cars and ask them questions about how the security mechanisms and procedures work, as general public interest, and for deciding which bank to use.  But perhaps better not to, even if drunk.

As an ex software guy, and just a customer of airvpn, I would think that it is about secure hosting of just an openvpn endpoint for a certain load of users, and necessary admin. So aim for a minimal "attack surface" by just an OS kernel (SELinux?) and IP stack, possibly up to ssh and sh for admin, and some diagnostics and config and security utilities and libraries. All open source and multiple possible compilers. Openvpn also runs on high end routers, so not just in a mainstream box of OS possibilities. Much simpler than a typical commercial website, so easier to secure. But I am not an expert.

Most of the well known VPN providers seem to use "reputable" hosting services in "reputable" nations, so in something like the rule of law we trust, to an extent. But I could imagine also a "darknet" scene where the servers are in "difficult" nations such as Pakistan, Russia, Ukraine, ... in hidden locations with armed gunmen keeping watch. I find it amusing to use VPN servers in Hong Kong China, which is vaguely Bruce Lee vs John Wayne territory.