June 5th, 2013

Connect to LuxSci Even More Securely: Use our VPN

Use of SSL and TLS provide a very high degree of security for access to LuxSci’s and other provider’s services.  This is especially true for WebMail with LuxSci’s use of an Extended Validation SSL Certificate that turns your browser bar green and helps ensure that you know that you are talking with us and not some malicious site.

However, for the very security and/or privacy conscious and those with compliance requirements (like HIPAA), a significant degree of improvement in security can be had by using VPN access in addition to SSL and TLS.

How is VPN Access+SSL better than just SSL?

VPN Access to your premium environment LuxSci services creates a secured tunnel (using IPSec) where all traffic travelling from your computer to LuxSci’s servers is encrypted in transit … no matter what kind of traffic it is or what protocol it is for.  This means:

  • All traffic to/from all ports and services is encrypted by the VPN
  • If you use SSL or TLS, then you have 2 layers of encryption … the SSL and TLS inside the IPSec VPN.

With this in mind, here are a number of ways that VPN Access can improve security and privacy:

No Eavesdropping or Man-in-the-Middle on your SSL connections

With SSL it is possible for your connections to be eavesdropped on if

  1. Administrative Monitoring: Your administrator has setup software or hardware to monitor your SSL-encrypted network traffic and has installed an SSL certificate or certificate authority on your computer so that their “man in the middle” scanner appears trusted and does not generate SSL warnings.  If this is happening you can only tell by examining the SSL certificate, and sometimes even that is subtle.  In these cases, your administrator or network can examine all of your communications, including passwords, usernames and other private data.
  2. Malicious Monitoring: If a malicious party is trying to scan your SSL connections in a similar way, you may get an SSL warning about an untrusted SSL certificate.  However, if you inadvertently “proceed” or if your users are non-technical and “proceed anyway not knowing better” then the identity protection feature of SSL is ignored and your connection is completely open to the malicious party.  Similarly, if the connection appears trusted but no longer has the green “Lux Scientiae, Incorporated” address bar, one might fail notice that you are no longer connected directly to LuxSci, but to some unknown intermediate party.

By using VPN Access, your successful VPN connection insures that you are connected directly and securely to LuxSci’s infrastructure.  Any traffic passing through this VPN connection is then immune to monitoring of this kind. E.g. you are protected from active administrative snooping and from lack of vigilance or user inexperience.  Eliminating user error as a source of insecurity is always a good thing!

Actively Restrict Access to Your Accounts

Besides protecting the privacy and security of your own connections; protecting your accounts from direct access by unauthorized people is also extremely important.  LuxSci has a wide array of features for restricting access, such as:

With VPN Access, you can take these restrictions one step further.  Using your account’s custom firewalls, you can restrict any access to any of your account services (like WebMail, POP, IMAP, SMTP, FTP, etc.) so that access is only granted to users who are already VPN’ed in.  E.g. it would be impossible for a malicious party to guess your password or gain access to any of your accounts without being also connected to the VPN — as their connections would be rejected summarily.

Restricting access to people connecting via the VPN also solves the problem of wanting to restrict access by IP but where your user’s IP addresses are varied or changing.

Note that MobileSync (Exchange ActiveSync for mobile device access to email and calendar/contact/tasks data) is exempted from VPN access restrictions of custom firewalls, due to the limitations of many mobile devices.

SSL and TLS by themselves do not help with unauthorized account access.  They secure the connections but do not restrict who can make such connections (well, unless client-side SSL certificates are used).

Other Benefits of VPN Access

There are a number of other significant benefits of using VPN Access to your LuxSci account.  These include:

  1. Ports Blocked? If you are having trouble accessing services because your ISP or network is blocking ports, like the SMTP port of 25, you can eliminate those blocks by sending all your traffic through the VPN (assuming they permit the VPN connections)
  2. Hide Your IP: When connecting over the VPN, our servers only see your internal, private VPN-assigned IP Address – we do not see the actual IP address assigned by your ISP (though this can be obtained from our VPN logs).  As a result, when you send email via SMTP, your ISP’s IP will not show up in the email headers and you will not have issues with being blocked because of its poor reputation.  This is typically solved by scrubbing your email using LuxSci Anonymous SMTP, but that is not even needed if you are using the VPN…. enabling faster sending over standard ports while keeping your IP hidden.
  3. Secure Remote MySQL Access. If you would like to or need to manage your LuxSci-hosted MySQL database from your desktop and need this to be “secure”, you have 2 choices with LuxSci – use “stunnel” to setup an SSL-secured connection from your computer to LuxSci, or use the VPN.  MySQL connections coming through the VPN do no need an additional SSL layer to be considered secure, so you can use any MySQL database management program over the VPN for secure access without any additional setup needed.  This is the recommended method for secure remote MySQL database management.
  4. Other insecure services. If you need to connect to other services insecurely, e.g. because you have some program that does not support SSL, you can do that over the VPN to have security anyway, provided that your account is not restricted to SSL-enabled connections.

About LuxSci VPN Access Service

LuxSci’s VPN Access Service:

  1. Cisco: Supports IPSec VPN access using Cisco’s VPN Client.  We provide you with the client software for Windows.  Macintosh OSX has native support for Cisco IPSec VPN.
  2. You can also use other L2TP/IPSec VPN clients (e.g. Windows native, iPhone, IPad, Android, etc.); however, these are not fully supported.  E.g. we give you the information to configure them, but you are on your own with setup.  The Cisco VPN Clients are fully supported.
  3. Costs $5/month per VPN user licenses.

Existing customers can add VPN access using the “Upgrade” tool in their account.  New customers can add it to their orders by choosing “VPN Secure Access” under the list of “more services” in the order wizard.   VPN service is available for Premium Shared and Premium Dedicated/VM customers.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.