Airvpn and INTRAnet security

[retiredpilot 6]

Just checking to be safe and give due consideration.  I have a laptop configured as described in the thread here about Comodo global rules, etc....    The machine works great and never shows/has any DNS leaks.  That configuration also protects against a dropped VPN connection regardless of why any drops would ever happen.  So far it has never dropped me and my ISP is very reliable.  I am very comfortable while sitting at home using WPA2 and a solid password.

 

Here is what I wanted to have some of you help me consider.  Now I move to a coffee shop with open wifi using the same machine.  Once logged in via Airvpn I know my internet payloads are encrypted/tunneled so I have no concerns except from the exit node out.  That is nothing new for any of us.

 

What about INTRA net concerns?  Say a "bad actor" is sitting in the coffee shop so that he is on the same open wifi network as me.  I know he can't read my encrypted payloads, BUT do the comodo global rules I set (from the thread here) keep all players from pounding away on my machine via INTRA net?  Just to be clear I know my activities are masked via the tunnel.  What about the machine itself since we are on the same wireless AP?  What vulnerablilties exist since in a sense this would be like an intra net connection between my machine and a potential "bad actor"?

 

My network connection type is set to public network and I selected all the settings I know of to make the machine NOT visible to others even on the same network.  What else should I do?  Its rare to be at a coffee shop but it will happen at times.

 

I hope this makes sense.  I am just thinking about vulnerabilities and wanting to make sure I consider such things.

[Staff 9825]

Hello!

As a first and strong defense, when you are in a coffee shop modify Comodo global rules to drop packets from any IP address inside the network, except to/from the gateway. Our guide for Windows and Comodo is specifically thought to ALLOW communications  within the local network, because it is thought for home and office users.

Kind regards
 

[retiredpilot 6]

Staff,

 

That is a great idea.  Can you provide us with an example of the global rule(s) to accomplish this?

 

Many here use coffee shops so understanding this approach is important for many not just me.

 

If we use several coffee shops (say 3-10) perhaps a Comodo "coffee shop" network zone could be created and specific IP addresses added like we did with the AirEntry IP's.  I used your Air Entry network zone approach making it super easy to add all 38 servers so I can use any without issue.  Works great.

 

I envision a "coffee shop" network zone global rule at the very top of the rules list.  That zone would contain the IP addresses of the coffee shops used.  In this way the first rule would block packets of those specific IP's defined in your coffee shop network zone.  Would this approach cause issues for the other general rules in your well thought out Comodo thread?  Since ONLY those IP's in the coffee shop network zone would use the new rules, the other rules should be unaffected during non-coffee shop use.  Right?

 

 

*** Based upon creating and then using a "coffee shop" network zone approach, can you provide the ruleset we would use to utilize such an approach?  The additional zone would make it so that I would simply identify the IP at a new coffee shop and add that network IP address in Comodo, which would only take a couple of seconds.***

 

Thank you for what you do helping us around here.

[Staff 9825]

Hello!

The crucial rules are:
Allow TCP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Any
Allow UDP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Not 53
Allow ICMP In/Out From In [Home Network] To In [Home Network] Where ICMP Message Is Any

They allow communications between everything defined inside [Home Network] Network Zone.

So when you are in the described situation, modify the [Home Network] Network Zone. Normally it is defined as a wide IP range, for example 192.168.0.0-->192.168.255.255

Once you are connected to the WiFI hot-spot of the coffee-shop etc., detect the IP address of the router/hot-spot. Open a command prompt and type the command "ipconfig". Read the values of your physical WiFi network card ("LAN Wireless" or something similar): "IPv4 address" and "Default Gateway".

Let's say, just for example, that they are respectively 192.168.0.155 and 192.168.0.1. It means that your computer is 192.168.0.155 in the network, and the default gateway (the coffe-shop router or hot-spot for example) is 192.168.0.1. Now you want to allow communications ONLY between your computer and that gateway, so in the [Home Network] Network Zone just put those 2 IP addresses (instead of an IP range). Save the changes and you're ready to connect to an Air server.

 

Kind regards

[retiredpilot 6]

Thanks.

 

That was easy to configure and test out!!

 

I just did as you suggested on my personal network and it works flawlessly.   Very simple.  I tried to test print using my wireless printer and the printer cannot be found by locking down the machine to strictly the gateway IP.  Nice!!

 

I sort of like this extra isolation/protection.  I may decide to use this all the time.  I would only need to add the printer IP to the home network zone IPs so I could print as well.  In my case there is NO reason for this machine to be "talking with" or "listening to" the wireless TV's, Satellite receivers, and other computers on the network.

 

The risk of an "in network attack" is small in my case.  This little change adds another layer of isolation, which spells security in my book!!

 

 

Quickly changing the IP's when at a coffee shop will now be easy, as well as changes if I visit another network anywhere.  Simple and safe.

 

Thank again for you support.