Announcement

Collapse
No announcement yet.

Questionable IRS security advice re: VPNs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Questionable IRS security advice re: VPNs

    In a news release today, the IRS states "All tax professionals who are teleworking should be using an encrypted Virtual Private Network or VPN. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the internet and the company network."

    This seems misguided at best, if not outright misinformation. For many tax professionals working away from their normal office location, an RDP (remote desktop) is an equally good if not better choice, yet they don't even mention RDP as an alternative.

    There is actually a big difference. Not least of which is software licensing - with a VPN, you must have additional licenses to cover the workstation you have at your location. With RDP, not so (the licensed software is still running on the host computer).

    "Here’s the easiest way to understand the difference:
    • Using a VPN is like putting a mask on that hides your identity by making you look like another server in another location when you browse.
    • More than just a mask, an RDP allows you to become that other server or computer, using its files and apps and desktop space as if you were sitting right in front of it.
    "


    VPN vs RDP; which one is right for you? In this comparison, we'll explore the key differences and find out which option you should pick.
    "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

    #2
    Actually, I am not going to 100% agree with your opinion.

    The way I describe this subject there are two categories of tools generically referred to as a VPN:
    • A Commercial VPN Service: As the name implies, a Commercial VPN Service is generally something contracted with a third-party provider and the purpose is somewhat similar; the user wants to connect to the internet from a public hotspot but not have your activities monitored by observers and spectators. In this sense, the goal is more to keep connection habits private than to connect to an office network. Observers and spectators will not be aware of the banks you use or your email providers.
    • A Local Dedicated VPN: A Local Dedicated VPN is one that is totally under the control of the business and typically is one that is configured as part of your private Local Area Network to allow remote access to a network from a public connection. When used this way, it allows a secure encrypted remote connection, at a conference, at the library, at Starbucks or some other location with access as if the user were connected to the office network. The user will have access to all the peripherals and devices as if they were in the office.
    NordVPN is an example of the former. What the IRS is referring to is the latter. You control the security to your local LAN via a secure VPN server (usually in your router) and, using that, you connect to your local LAN. Then, you would connect to your desktop via its local IP address. In this manner, there are no ports open on the router which need to be directed to the desktop machine. The Remote Desktop Connection is thus secured by the security of your Local Dedicated VPN in addition to its password security.

    I wholeheartedly endorse the IRS suggestion and have suggested this type of remote access in the seminars I have conducted.

    Using a Commercial VPN Service, as you suggest, would not be the way to do this. Using a Local Dedicated VPN adds a level of security that we all should be using to avoid allowing a direct connection to a PC from outside the LAN.

    YMMV
    Doug

    Comment


      #3
      "Then, you would connect to your desktop via its local IP address."

      Right, that is RDP, not VPN. You are describing running an RDP on top of a VPN connection, but I don't see where that adds any security, since the RDP connection itself is normally going to be encrypted and password protected (hopefully with Multi Factor Authentication). You have to allow an outside connection to the office through the router using either VPN or RDP,

      To re-state what the blog I linked to stated, a VPN makes your computer appear to be on the office network, but your computer still needs to run its own software. An RDP instead allows your computer to behave like it is simply a mouse, keyboard, and monitor connected to your office computer by very long cables. You are remotely operating the office computer running its software, not running tax or accounting software on your own computer as you would be with a VPN.
      Last edited by Rapid Robert; 04-14-2020, 01:12 PM.
      "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

      Comment


        #4
        Originally posted by Rapid Robert View Post
        "Then, you would connect to your desktop via its local IP address."

        Right, that is RDP, not VPN. You are describing running an RDP on top of a VPN connection, but I don't see where that adds any security, since the RDP connection itself is normally going to be encrypted and password protected (hopefully with Multi Factor Authentication). You have to allow an outside connection to the office through the router using either VPN or RDP,

        To re-state what the blog I linked to stated, a VPN makes your computer appear to be on the office network, but your computer still needs to run its own software. An RDP instead allows your computer to behave like it is simply a mouse, keyboard, and monitor connected to your office computer by very long cables. You are remotely operating the office computer running its software, not running tax or accounting software on your own computer as you would be with a VPN.
        If you want security you should never open a PC to a direct outside connection. If you want to, that is your business. However, the IRS advice is sound. You should control access to your LAN via a Local Dedicated VPN and only allow connections to workstations from other devices within that LAN.

        The way you are using Remote Desktop is to connect through an open router port directly to a PC.

        You are comparing apples and oranges. Neither I nor the IRS is talking about a Commercial VPN Service. Those are not helpful in this scenario. The fact that it is useless in this scenario should tell you that it is not what the IRS is describing. They are talking about setting up your own Virtual Private Network, not paying someone to protect you from others viewing your browsing habits. In fact, I suspect that using such a service may actually arouse suspicions when you e-file since the IP address of that Commercial VPN is sent along with the e-filed data.
        Doug

        Comment


          #5
          I have no LAN. I use a commercial VPN and I have no problem e-filing through my Ultra Tax software.
          This post is for discussion purposes only and should be verified with other sources before actual use.

          Many times I post additional info on the post, Click on "message board" for updated content.

          Comment


            #6
            Originally posted by dtlee View Post
            You are comparing apples and oranges. Neither I nor the IRS is talking about a Commercial VPN Service.
            I don't understand why you keep on bringing this distinction into the discussion, neither my comments nor the IRS recommendation had anything to do with "commercial" vs. "local dedicated" VPN. So far, the discussion is analogous to this:

            RR: The IRS recommends poultry, but beef is just as good if not better.
            Dtlee: The IRS recommendation is good, because chicken and turkey are different kinds of poultry, and chicken is nutritious.

            Originally posted by dtlee
            "If you want security you should never open a PC to a direct outside connection".
            What do you mean by "direct"? When I send/receive email, or view a web site, or upload/download a file, isn't that a direct connection to somewhere outside of my local LAN? If it is not "direct", then please tell me which machine the data (email, file, HTML) is stored on between the remote host and my PC? If it is not stored on an intermediate machine, then it is direct by definition. I think you are confusing port numbers with intermediate storage, or NAT (network address translation). Listening for incoming connections on certain ports is going to be required for both VPN and RDP, so how is one any more secure than the other in that regard? There is nothing inherently insecure about listening on TCP/IP ports, every PC does it all the time. It's only a problem if an insecure program is listening on a given port and injudiciously accepting connections. I am assuming that one would use a secure RDP product to avoid this problem.

            Note that VPN does not by itself require or imply encryption. I am assuming that both the VPN and the RDP products use encryption, so that is not an advantage for either one.

            Let's try one more time, if not for dtlee, than for the others:
            • Using a VPN is like taking your computer (at home) and moving it to an empty desk in your business office. Instead of using the network IP address of your home machine, it will appear to use a network address on the business office LAN. Thus, it can access printers and servers at the office. But the machine would still need to be configured with licensed software, etc to be useful.
            • Using RDP is like taking the mouse, keyboard, and monitor from your PC in the business office and extending it to your desk at home. You get the same benefit as with the VPN, but without having to spend extra time configuring your local PC with business software.



            "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

            Comment


              #7
              For those who want the actual facts, check out these articles:


              "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

              Comment


                #8
                For anyone who is tired of this thread, read recommendations from real professionals who have taken the same kind of technical training I have had:

                https://www.liveconsulting.com/news/...ktop-protocol/
                https://community.spiceworks.com/top...-risk-over-vpn
                https://www.itprotoday.com/compute-e...dp-without-vpn
                https://www.howtogeek.com/131961/how...-the-internet/

                There are hundreds more I could post. Note the last one offers both the direct connection RapidRobert suggests or using it through a VPN but states
                Setting up a VPN is by far the more secure option when it comes to making Remote Desktop accessible over the internet
                Rapid, this should not be taken personally, but the way your post classifies my statements is misleading:

                IRS: We recommend you use gravy with your roast beef
                RR: Any Italian will tell you gravy goes on pasta. The roast beef is better without it.
                dtlee: The IRS is talking about a different kind of gravy which enhances the roast beef.

                Specifically, this characteristic:
                Using a VPN is like putting a mask on that hides your identity by making you look like another server in another location when you browse.
                and the NordVPN link you included does nothing to enhance the use of Remote Desktop. This is the issue I addressed in my response.

                A Local Dedicated VPN under your control could actually be used in that same way as you described (i.e., when you are away from your office and want to avoid public monitoring of your browsing activities) but its main purpose is that it would provide a secure connection to your LAN without exposing individual machines (which some of your subsequent posts hint at).

                I was going to post this article a few days ago but thought it is also an ad for one of their products:


                What they recommend is:
                Summary

                It’s enough to use RDP for establishing anonymous access to internet for personal needs. This protocol is secured, so your data won’t be stolen by hackers.

                If you want to get more secured data channel for business needs, you can use RDP over VPN.

                In any case you must use our SOCKS proxy service for spoofing IP address and bypass regional bans, used by your provider. The most convenient software tool for SOCKS is ProxyHelper. You can find all the information about ProxyHelper in FAQ on our website.
                This is not to say that it is wrong to use RDP alone. However, if you have client data on a PC and want it secured, you should never use RDP without first connecting to your network via a secure Local Dedicated VPN.
                Last edited by dtlee; 04-15-2020, 09:54 PM.
                Doug

                Comment

                Working...
                X