Any computer geek/network geek in here?

[canadianeh]

I have been working from home using a laptop issued by my employer and using soft TOKEN RAS to access work network.

Now they want us to connect Aruba wireless access point onto my modem. Their reason is to allow more secure connection.

Do I need to be concerned with my employer “sniffing” on my internet traffic? Can they monitor and watch for all of my internet activities on all of my personal devices that connected to the same modem? Any network specialist out here that can chime in?

here is how the device look like. I covered the upper portion to hide the serial number and network equipment tag # for a purpose. Thanks

 

[dvgyfresh]

Since it’s a work laptop I’m not sure how much access they can get to yr wifi , obviously they could “hack in” but I think the amount of effort would take is high and not worth it , IT guys usually chill and don’t want to do more work than necessary. They might be able to see the devices connected to the network buti doubt they could see the details (browser history, turning on webcam to spy on you, ect) honestly nothing is really ever super secure lol but I think yr fine

 

[canadianeh]

Since it’s a work laptop I’m not sure how much access they can get to yr wifi , obviously they could “hack in” but I think the amount of effort would take is high and not worth it , IT guys usually chill and don’t want to do more work than necessary. They might be able to see the devices connected to the network buti doubt they could see the details (browser history, turning on webcam to spy on you, ect) honestly nothing is really ever super secure lol but I think yr fine

I am more concerned on the above device. The Aruba wireless access point decide that they want me to connect directly to my modem.

 

[dzeleski]

If you are using a work laptop they already have that capability, if you use a VPN they doubly already have that capability. That laptop most likely has a root CA installed that allows them to decrypt all traffic and analyze what its doing.

Keep in mind no one is sitting there all day watching what you do. No one has time for that. What the tooling is capable of is detecting malicious software trying to do things it shouldnt or you constantly going to suspicious websites, and will notify an admin when it does. Then and only then would someone be looking at that collected data.

On the other hand if its a small company they may not being doing any of that, or they might. But its not your hardware, its theirs and they need to protect their data and environment.

That being said I would not be plugging in any hardware like that into my network, you can provide the laptop, vpn, etc. My network is my network and there is no reason for them to provide a WAP for this use case. I am assuming this WAP sets up a constant VPN tunnel back to their infrastructure, if thats the case thats a larger liability then any company should be willing to take. If its just a properly configured WAP with good security practices pre setup for you thats one thing. I would ask why they are asking you to use it over your own networking equipment.

I've been working in IT for 15+ years, FWIW.

 

[dvgyfresh]

I am more concerned on the above device. The Aruba wireless access point decide that they want me to connect directly to my modem.

This won’t give them access to yr internet data, unless they somehow could hack the password , if that is what you are worried about. I do think they would be able to see non private data such as devices connected

 

[dzeleski]

This is the product: https://www.arubanetworks.com/products/wireless/access-points/remote-hospitality-access-points/

Specifically designed for remote deployment and remote management.

This is what it can do: https://www.arubanetworks.com/assets/so/SO_Remote-Access.pdf

I would not be connecting personal devices to this device, only work issued devices.

 

[canadianeh]

This is the product: https://www.arubanetworks.com/products/wireless/access-points/remote-hospitality-access-points/

Specifically designed for remote deployment and remote management.

This is what it can do: https://www.arubanetworks.com/assets/so/SO_Remote-Access.pdf

I would not be connecting personal devices to this device, only work issued devices.

The company is multi billion financial company in Canada for your reference.

I will not be connecting my personal devices to this Aruba WAP. They are asking for this device to be connected to my main modem (from my fibre internet service provider).
Can this Aruba WAP device collect data from my main modem?
more maybe I should get a totally new internet line from different service provider just for work purpose? Maybe lot safer?

 

[simecircle]

The company is multi billion financial company in Canada for your reference.

I will not be connecting my personal devices to this Aruba WAP. They are asking for this device to be connected to my main modem (from my fibre internet service provider).
Can this Aruba WAP device collect data from my main modem?
more maybe I should get a totally new internet line from different service provider just for work purpose? Maybe lot safer?

No, it should create a VPN connection over your router to your work network. The idea is to extend your work experience into the home. Any device you or your family connect to your home router will sit outside of this VPN tunnel and will not be visible to your employers. (Just don’t connect anything other than your work devices to it)

 

[bblumberg]

If you want to be certain that no one is snooping on your WiFi network, where you browse, etc, I'd get one of the many VPN software packages. I like ProtonVPN but there are lots of choices.

 

[dzeleski]

The company is multi billion financial company in Canada for your reference.

I will not be connecting my personal devices to this Aruba WAP. They are asking for this device to be connected to my main modem (from my fibre internet service provider).
Can this Aruba WAP device collect data from my main modem?
more maybe I should get a totally new internet line from different service provider just for work purpose? Maybe lot safer?

No it cannot. Thats probably excessive, if its setup as a WAP just plug it into your existing router/modem, it will act as any other device on the network. Im shocked such a large company is deploying hardware like this. I assume this company is new to WFH due to covid?

It could only collect data on devices that are connected to it.

If you want to be certain that no one is snooping on your WiFi network, where you browse, etc, I'd get one of the many VPN software packages. I like ProtonVPN but there are lots of choices.

Thats most likely not going to work. VPNs/SSH tunnels will be detected and blocked that are not company VPNs/ssh tunnels.

 

[bblumberg]

It works fine on a Cisco AnyConnect VPN connection. I can load ProtonVPN and connect to their servers from within AnyConnect and vice versa (although speed is slower). Dunno about this particular implementation, though.

 

[rhostam]

If they asked you to place a device between your modem and your personal network equipment, then that would be more of a concern as they would be the single point of ingress/egress. Never mind snooping (though that would be annoying), what if there are problems with the device that impact network performance, etc?

Since they are asking you to plug this into your existing network (as a device WAP) it is less concerning.

This reminds of me when Comcast's XFinity Home Security (I was doing an evaluation) wanted me to install their crappy router/WAP first, then my equipment second. Of course, I refused and connected it the other way around.

As others have said, but with a visual (the lines represent a wired OR a wireless connection):

 

[dzeleski]

It works fine on a Cisco AnyConnect VPN connection. I can load ProtonVPN and connect to their servers from within AnyConnect and vice versa (although speed is slower). Dunno about this particular implementation, though.

It has nothing to do with the product. Your company is using split tunnel VPNs, which means only the traffic going to services your company hosts are routed over the VPN. A large financial company will not allow split tunnel. All traffic will get routed through the VPN for inspection and proxying, causing any other VPNs to not work.

 

[simecircle]

It has nothing to do with the product. Your company is using split tunnel VPNs, which means only the traffic going to services your company hosts are routed over the VPN. A large financial company will not allow split tunnel. All traffic will get routed through the VPN for inspection and proxying, causing any other VPNs to not work.

The point of the Aruba RAP is that it is a remote office solution. It creates an IPSEC tunnel back to its controller in the head office to tunnel back any traffic connected to it across the existing router and the public network. The SSID that is broadcast by the existing router is not affected and will not be pushed across that network. Why would it? That would be inherently insecure as it would allow staff owned devices, not adherent to corporate policies access to corporate resources.

The OP will likely only be able to connect corporate owned or maybe corporate sanctioned devices (if they have a BYOD/ MDM solution, which seems unlikely) to the SSID broadcast by the Aruba RAP (Remote Access Point) as it will use the same authentication process they use to access the corporate SSID in head/ branch offices. The existing network and devices will be unaffected.

It isn’t the same as a software VPN which allows split tunnelling on the device (which will allow non corporate traffic to break out out locally), but it isn’t invasive or shocking and is a solution used by many companies globally. I work for a competitor of Aruba and we have a version that plenty of companies take and I can tell you Aruba sell boatloads. It is particularly popular in the Financial market, a sector notoriously conscious of data security.

Wow! A subject on a marine fish forum I have some knowledge on!!

 

[Theulli]

If you are using a work laptop they already have that capability, if you use a VPN they doubly already have that capability. That laptop most likely has a root CA installed that allows them to decrypt all traffic and analyze what its doing.

Keep in mind no one is sitting there all day watching what you do. No one has time for that. What the tooling is capable of is detecting malicious software trying to do things it shouldnt or you constantly going to suspicious websites, and will notify an admin when it does. Then and only then would someone be looking at that collected data.

On the other hand if its a small company they may not being doing any of that, or they might. But its not your hardware, its theirs and they need to protect their data and environment.

That being said I would not be plugging in any hardware like that into my network, you can provide the laptop, vpn, etc. My network is my network and there is no reason for them to provide a WAP for this use case. I am assuming this WAP sets up a constant VPN tunnel back to their infrastructure, if thats the case thats a larger liability then any company should be willing to take. If its just a properly configured WAP with good security practices pre setup for you thats one thing. I would ask why they are asking you to use it over your own networking equipment.

I've been working in IT for 15+ years, FWIW.

This - if a corporation wants to monitor what you are up to they can do it in much easier ways than sending you a network device. Pretty standard practice to have security software that periodically sends activity logs for example

 

[canadianeh]

This - if a corporation wants to monitor what you are up to they can do it in much easier ways than sending you a network device. Pretty standard practice to have security software that periodically sends activity logs for example

I am only doing work stuffs in my work laptop. My concern is when whether the WAP can spy on my personal devices if I connect the WAP on my main modem. Of course, my personal devices will remain connected to my personal modem and not the work WAP.

 

[dzeleski]

The point of the Aruba RAP is that it is a remote office solution. It creates an IPSEC tunnel back to its controller in the head office to tunnel back any traffic connected to it across the existing router and the public network. The SSID that is broadcast by the existing router is not affected and will not be pushed across that network. Why would it? That would be inherently insecure as it would allow staff owned devices, not adherent to corporate policies access to corporate resources.

The OP will likely only be able to connect corporate owned or maybe corporate sanctioned devices (if they have a BYOD/ MDM solution, which seems unlikely) to the SSID broadcast by the Aruba RAP (Remote Access Point) as it will use the same authentication process they use to access the corporate SSID in head/ branch offices. The existing network and devices will be unaffected.

It isn’t the same as a software VPN which allows split tunnelling on the device (which will allow non corporate traffic to break out out locally), but it isn’t invasive or shocking and is a solution used by many companies globally. I work for a competitor of Aruba and we have a version that plenty of companies take and I can tell you Aruba sell boatloads. It is particularly popular in the Financial market, a sector notoriously conscious of data security.

Wow! A subject on a marine fish forum I have some knowledge on!!

I understand the point of the product im a CCNP. My point is its a huge expense to deploy devices like this on top of the software required to manage it. Hence im suprised such a large company would be willing to take that liability for security issues, hardware failure, and troubleshooting reasons. Its an overly complicated way to connect to a VPN, probably because their users are trained well enough to WFH.

Software VPNs can disable split tunnel. I've configured many in exactly that way, allowing split tunnel is a decision the admin makes based on the risk a company is willing to take for data leaking.

I work for the largest fintech company in the world, we deploy laptops with software VPNs, software phones, etc. Theres no need to deploy a hardware device like this. In fact many times these RAPs provide a larger security vuln, now you have a device that is always connected that is broadcasting a breakable connection. These devices have never passed our audits from any of the orgs ive ever worked for. They are largely made for companies that dont want to train their users properly, or dont have a good enough IT staff to manage other products.

If I wouldnt be happy about a device like this on my network how can I expect my users to be ok with it?

 

[simecircle]

I understand the point of the product im a CCNP. My point is its a huge expense to deploy devices like this on top of the software required to manage it. Hence im suprised such a large company would be willing to take that liability for security issues, hardware failure, and troubleshooting reasons. Its an overly complicated way to connect to a VPN, probably because their users are trained well enough to WFH.

Software VPNs can disable split tunnel. I've configured many in exactly that way, allowing split tunnel is a decision the admin makes based on the risk a company is willing to take for data leaking.

I work for the largest fintech company in the world, we deploy laptops with software VPNs, software phones, etc. Theres no need to deploy a hardware device like this. In fact many times these RAPs provide a larger security vuln, now you have a device that is always connected that is broadcasting a breakable connection. These devices have never passed our audits from any of the orgs ive ever worked for. They are largely made for companies that dont want to train their users properly, or dont have a good enough IT staff to manage other products.

If I wouldnt be happy about a device like this on my network how can I expect my users to be ok with it?

Well, you’re clearly the expert and the existence of product such as this and it’s uptake by a significant number of customers including the OP’s employers
is certainly not going to dissuade you.

 

[simecircle]

I am only doing work stuffs in my work laptop. My concern is when whether the WAP can spy on my personal devices if I connect the WAP on my main modem. Of course, my personal devices will remain connected to my personal modem and not the work WAP.

So your options as you see it are twofold, if I read you correctly? You could either kick up a fuss with your employers and try and get them to change corporate policy or you could get yourself a dedicated secondary connection to support personal devices for yourself and your family. I mean you could see this as a luxury your family might enjoy anyway, but I wouldn't consider it worth the expense, myself, unless there are other reasons.

The RAP is a client on your network and I suppose, in theory your company could corrupt the firmware and subvert its purpose to nefarious ends. I mean nobody can guarantee you, to complete certitude that this is completely impossible. It's why vulnerabilities are discovered and not created and why all manufacturers release patches. It seems like it would easier to do it with one of the other devices that they expect you to connect to at home, which are also clients on the same network, but I'm certainly not an expert.

Is it likely that your employers have the motivation or could justify the resources required to do this let alone risk the PR nightmare that the inevitable discovery of such activity would create for them and Aruba? I dunno, maybe? Do you have a tin foil hat?

I'm just trying to offer you confidence that, despite what may have been implied elsewhere in this thread, there are many HUGE brands using this technology, increasingly so in the current circumstances. And the growth in this market isn't fuelled by a need for more security or a desire to snoop on employees, but the far more obvious purpose of creating a more supportable working from home solution where improved user experience will lead to greater productivity from a workforce now spending more of their time in their home offices.

I can understand and support your instinct for self protection but I hope this helps you make a decision. As I say, if your kids play Fortnite they might appreciate a second connection. My boy is always moaning on about "lagginess", but I am not sure he fully understands where it comes from.