On Letting the IT Department Set Up My Machine

A few months ago, I asked my SFA Manager to get me access to my email from outside the company firewall. He gave me a RSA keyfob and set up two dial-up connections in XP for me to use to connect to the company intranet, so I could check my email from outside the office.

That wasn’t at all sufficient in my mind. I have broadband at home. I purchased a WiFi card with my own money for my laptop. I stay at a Wyndham on purpose (because the broadband connection is free if you’re a ByRequest member). I wanted to have access to the company intranet via broadband without any hassles.

I asked many times if this was possible. Each time I got a slightly different answer, ranging from a ‘no’ at first to a ‘yes, but we have to come to your house to install a firewall’ as the latest answer.

I finally got fed up with excuses and asked my boss for access to my email outside the office via a broadband connection, so that I could check my email while I was at the Wyndham in Atlanta yesterday and today. That was a week ago last Friday. It was still the SFA Manager’s job to get the request processed, but at least now he could do so with some authority.

On Monday of this week, as of 10:00am I didn’t know how to access the company email servers from the Wyndham yet, so I asked the SFA Manager’s immediate supervisor why I didn’t have anything set up, or taught to me yet.

Within 10 minutes, an IT person was in my office with a floppy disk with some VPN software on it, and a print out of instructions on how to login to the network via VPN.

I let the IT person do their job: installing the software, setting up the basics of the VPN account, and walking me through the process… and when that IT person ran into an error, he said he thought the error was something with the VPN server that he was going to check.

Now, I only had 30 minutes before I had to leave the office to catch a plane, so I didn’t follow up with that person before I left for Atlanta. I assumed everything would ‘just work’ when I got to my destination.

After checking into the hotel later that night, I took a shower, ordered room-service, and enjoyed the season Finale of “The Practice” before trying to log into the network via VPN over the Wayport connection in my hotel room.

Hmmm…. same error I was seeing at the office.

I called the tech that set up the software on his cell phone (he told me to call anytime).

The tech called his boss and they talked about what the problem might be, and his boss called me. He got my voicemail for some reason, and I didn’t ever touch base with him.

After a few tries at logging in via the ‘default’ setup I was given before I pulled out the instructions and read them.

The tech had set up the VPN access incorrectly. There was no way I was ever going to login using the default connection he’d set up, so I fixed it myself, and all was hunky dory.

The lessons here:

1. IT folks should check everything for the people they support. (If I’d been a less technical person, I doubt I could have figured out the problem). (If I’d have been a more senior manager, I’m sure I could have raised hell about the poor setup that the tech did).

2. If someone had stolen my computer, they could have easily hacked into the company’s VPN after breaking my XP password (it’s pretty easy to do I’m told) and the instructions for logging into our VPN were in the side-pocket of my computer bag, because that’s where the tech told me to put them, and I’d placed my keys (with the RSA keyfob) into the computer bag for easier traveling through the airport security.

3. XP has a built-in firewall option (or at least that what it looks like in the ‘Advanced’ tab of a LAN connection. (Not that I pretend to know a damned thing about XP).

Can anyone shed any light on why a firewall is needed on a computer that has a VPN client running connected to a VPN server?

2 Responses to “On Letting the IT Department Set Up My Machine”

  • When you attach your machine to an intranet via a VPN you also extend the intranet out to your machine. Therefore your machine is now a potential gateway from the Internet into the intranet. A firewall between you and the Internet is in fact a small piece of the firewall around your intranet.

  • Or, phrased differently, some VPN software is (mis)configured such that the public internet can still attack your machine while you’re connected to the VPN — instead of limiting inbound traffic to only VPN traffic. This means that if they successfully broke into your machine through the public net while you were connected, they could hack into the VPN through your machine.

Leave a Reply