Archive for March, 2011

We have another reader’s VPN question to answer this week.  If you would like to ask us a network security-related question, drop us a line at

Confused Road WarriorVPN Haus,

I guess I’m what you call a road warrior – traveling thousands of miles a year for business, regularly connecting to my company’s network offsite. When I’m working from home or at client site, I have no connection issues.  Where I run into trouble is when I’m connecting from a hotel.  Either I’ll find a connection and then lose it, or I’ll be connected, but my VPN access is denied. What’s even more frustrating is when there’s simply no connection at all.  Any suggestions?

Confused road warrior

Dear Confused Road Warrior,

First things first, always check with your IT administrators on configuration of you laptop and tell the Help Desk what’s going on – they need to log the situation and troubleshoot for you. By way of background based on your  explanation, it sounds like you’re the victim of overlapping subnets or a restrictive hotel firewall.

An overlapping subnet is when you establish a connection from the VPN client to another network with the same private IP address range. When this happens the IP addresses overlap with each other.

You tend to run into this when you’re on the road because the hotel router assigns your machine a private IP address range—say 192.168.1—and this address matches the office’s IP address.  When your VPN client connects it’s using the source IP address it currently has—the home network or your office network—and the gateway you’re connecting to sees this as an internal (local) address.  Thus subnets overlap and deny your VPN connection.

[If you’re curious about the technical description of overlapping subnets, we spoke to NCP’s engineering team, Lost Connections? Overlapping Subnets may be your culprit]

The other possibility is that the hotel’s firewall is too restrictive and it prevents your typical IPsec connection. Typically, your IPsec client won’t work in this situation because the encapsulated security payload (ESP) frames are dropped or modified by the router.  However, there are some IPsec clients available that have features that allow for remote access behind firewalls and with settings to prevent IPsec-based data traffic.  If this is a big problem for you, ask your IT manager to set you up with a different IPsec client that can navigate this for you automatically. The right tools are always better than finding workarounds for the wrong tool.

– The VPN Haus Editors

Send us your network security questions at

Remote AccessAs part of an ongoing series, VPN Haus is asking average users about their frustrations with remote access. Most people we speak to attest that remote access has offered remarkable flexibility that simply wasn’t possible before. But as remote access has become more ubiquitous, so has confusion and annoyance.

“You can use SSL which is much simpler to manage and more bandwidth friendly. It is also easier on the end user. They don’t need to remember to connect the VPN first,” says Justin Fox an IT administrator for a small business.

We completely sympathize with Fox’s vexation – but SSL isn’t necessarily a catch-all. SSL is fine for intermittent remote access, but for those who need to connect remotely regularly, SSL is, well, hopelessly underwhelming. So, what’s this newer, faster, better alternative to SSL? IPsec VPN. Yes, you read that right. There’s a new crop of VPN options that are redefining the very idea of “ease of use.”

Case in point, Die Mobiliar*, the oldest private Swiss insurance company, recently updated its VPN solution. Understandably, the company was worried about usability for its end-users – but ultimately, it found a remote access technology with a simple, graphical user interface for end-users and a one-click central management for the IT department. Who says you can’t please everyone?

Readers, what are your thoughts on the new generation of VPN solutions?

*Full disclosure, Die Mobiliar is an NCP customer.

eSecurity Planet, Top 10 Android Security Risks
Financial Express, How to Protect Travel Data
IT World, What Do You Use to Keep Your WiFi Secure?
The Register, Securing the Virtual Desktop
Windows IT Pro, Q: If I’m Implementing DirectAccess in My Organization, Can I Drop My VPN Solution?

The world of remote access is, no doubt, a complicated one. On one hand, we can’t imagine life without it – and on another – it sometimes feels like the bane of every IT administrator’s existence. So, what do end users think of remote access? VPN Haus asked around and got an interesting variety of responses. But no matter the sentiment, it seems people are rarely neutral when it comes to remote access.

Nick Armstrong, a so-called geek superhero, shares the common complaint of elapsed lag times when connecting remotely. He told VPN Haus, “Any time there’s a possibility for lag, I absolutely loathe a remote working environment. Since I work on a Mac, the conversions very rarely work correctly and there’s often a lot of right-click confusion that just shouldn’t be there.”

But here’s where things get complicated. Nick has worked as a software developer and is exceptionally tech savvy and this know-how makes him informed enough to expect better than slow-downs and headaches when connecting remotely.

“If the user interface isn’t simple, I just don’t want to work on it,” he said.  “Also, I really, really dislike having to turn over my computer’s control to an internal IT person to remotely give me access. [It’s] really frustrating considering my level of tech expertise.”

Nick’s frustrations are, unfortunately, far too common. To get around this issue, Nick says he sometimes bypasses IT-mandated remote access for a more efficient option.

“SSH or secure FTP allow for the secure transfer of files,” he explained. “Skype and other communication platforms use encryption, as does GoToMyPC  (the one non-clunky virtual work environment I’ve used). I’d much rather use my own work environment where I can assure productivity rather than be forced into something that ‘meets IT’s standards.’ If my methods are good enough for HIPPA compliance, it should be good enough for a business. “

Nick is an ideal scenario – he’s savvy enough to know to look for secure options when forgoing IT protocols. But the danger comes in when employees who don’t know to look for secure options follow the same path.

What annoys you about remote access? Share your stories with us.

Government Computing News, Telework on the sly: How many feds really work outside the office?
Information Week, Amazon Extends Private Cloud Capabilities
New York Times, Threats to Traveling Data
PC World, Security on a Shoestring Budget