Slashdot Mirror
Ask Slashdot: VPN Service For a Deployed US Navy Ship?
shinjikun34 writes "I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies. We are currently in the process of setting up an entertainment internet connection for the crew to use in their downtime. I suggested (and was thereby tasked with finding) a VPN service that would support 100 to 500 devices, have an end point inside the continental United States, be reasonably priced, and secure/trustworthy. Something that is safe to use for banking and other financial affairs. Ideally, it would be fast enough to support several VoIP calls (Skype, Google Voice, etc) along side online gaming, with possible movie/music streaming. It will need an end point in the U.S. to allow for use of Google Books, Netflix, Hulu, and other services that restrict access based on region. I, in all honesty, have no idea where to begin searching, and I ask the good folks of Slashdot to aid me in my quest. One of the main requirements I was given is that the company has to be trustworthy. And it has to be a company — computer in someone's closet hosting a VPN isn't acceptable to the Navy. What services would Slashdot recommend? (I understand that our connection without a VN probably won't be able to handle the described load, but I would prefer a VN service that offers capacity above our need. That way when T/S'ing the connection, the VPN can be at least partially ruled out.)"
MIL:
yeah lets ask the guys on slashdot, they could help iam sure
SGT: yes sir, good idea sir
Try Pair.com in Pittsburg, PA. I've been with them for over 16 years now and I've been very happy with their service and support.
Whew! This water sure is cold!
Just create a VM on aws.amazon.com and configure it to your hearts content.
Doesn't the navy has its own Internet structure? Or may you not use that?
The NSA is tasked with securing such communication and you should regardless of classification of data be using their equipment or at least an approved system. In that way you know that you at least are protected from your provider.
Your users shouldn't even know you'd doing jack to their connection except to show as a US IP address. There should be no identifying information that points that IP to any military activity.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
I know Sonic.net offers their customers VPN service, and have a great track record and are a pleasure to work with. I'd call their business/enterprise department and see what kind of bandwidth they can give you in a VPN termination.
However, I hope you're aware of the dangers of having multiple secure and insecure internets in close proximity...I sincerely hope one moron with a patch cable can't bridge the "entertainment" network to anywhere else...frankly I'm surprised this isn't handled by the USN core networking folks already....?
You realize that some of the people reading Slashdot around the world are going to have a vested interest in getting a back door into your affairs, right?
This would be an excellent trap to catch foreign agents.
I would be very wary of doing such things on a government connection. Your C/O better have written off on it officially.
forget online gaming on a ship as the lag is killer and moving from area to area can lead to drop outs.
I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies.
Then respect the laws of that country and don't try to bypass their Internet policies.
Have gnu, will travel.
Shameless plug: our company ReachIPS.com could absolutely do this (contact us) //GregH (an engineer at the company not in sales).
You want (1) high speed, (2) large bandwidth, *and* (3) high security. You can have any two of the three.
But seriously? Is the ship not already outfitted to use OCONUS Navy Enterprise Network (ONE-Net)?
I'm surprised this is even an option, I recently worked at a remote US government facility and there were heavy filtering requirements in place. Do military regs really allow you to avoid their regular IT controls and policies this way?
At any rate, my first question is are you talking about a physical internet connection while in port, or using a satellite at sea or what? You're talking about supporting an awful lot of users and data through the VPN, but can your basic connection support that?
Not to mention plugging personal equipment into a DoD network is a no-no. And forget the fact that online gaming is probably not the most appropriate use of limited shipboard bandwidth...
You imperialist murderers.
1) Lease a box at a site with reliable, low-cost bandwidth (Somewhere like PhoenixNAP, AtlantaNAP, Rackspace, etc.) - This should run you between $50 - $150/mo for a decent system with several terabytes/mo data transfer (More than enough for Hulu, Netflix, etc.). 2) Make some friends in the Navy IT dept. - Have them help you set up a hosted VPN service on the box in their off time. This will be the lowest cost, most secure, and most reliable service you can get.
IMHO, that sounds like something all navy ships would want to have.... so why not have the own navy it department at the other end of the vpn?
Needless to say, in a network separated physically from anything important, but still inside the control of the own navy..... no better way to address security concerns.....
Almost all VPN services are fly-by-night ops. Just don't do it. Seriously, they come and go like the wind. I'm sure there are legit and have been around for a long time but it's nigh impossible to vet any of these companies.
Instead find a good hosting providing and rent yourself a server with the amount of bandwidth you need and the location in the US you want (most providers have data centers in various places). For more security I would get a whole machine, not a VPS. Run OpenVPN or whatever on it and you're good to go. It wouldn't need much disk or RAM.
The ratio of people to cake is too big
Not a VPN, but what about a IPv6 tunnel to Hurricane Electric? Much of what you are interested in is IPv6 accessible. And the HE tunnel is free.
Might check and see where the IPv6 anycast address routes to from your location. Might be in a different country.
Anything other than a government controlled VPN would be a dumb move. One step back though, why do you need a VPN? I assume the Navy can get his hands on a decent US IP range and have it routed properly? Even with non-US IP's you can probably get access. Most entertainment companies have good relations with the military - they could provide access as a courtesy.
Create a VM endpoint in the US on something like Amazon Web Services. Fire up a tunnel (vtund over ssh? openvpn? whatever) from your ship's router to your endpoint, route traffic through it, make sure your local DNS resolves through the tunnel, and call it a day. This way you won't need to tell people to mess around with VPN clients. The fewer moving parts, the better.
This is pretty simplistic though. You need to give us more details. How much bandwidth do you have to play with? What is the expected latency? How much tolerance is there for downtime? How much access control do you need? There are all kinds of additional steps that could make this kind of service more reliable.
Is the OP saying that the Navy doesn't already run a VPN? WTF?
How much salt water safe coax can they trail behind the ship? I mean, it can get pretty messy, especially if they go around an island or something. Really, shouldn't the poster have at least considered these basic issues?
No wonder the navy budget is HUGE!!!
OK I'm not American (I'm Australian), but this whole post elicits a massive "WTF" from me.
If this is a Navy ship, belonging to the world's most powerful military and run and administered by a branch of the US Government, then surely:
a) if this kind of usage of the connection is permitted, the Navy (or other government entity) would have its own infrastructure you could use for this; or
b) if not, there'd already be a clear policy that stated who your preferred providers of such a service would be (having been vetted and cleared for such use by the relevant IT people within the Navy)
I mean, I can't imagine any government department, let alone the Navy, giving some random guy the task of finding and setting up a VPN via whatever means he happened to think was good.
Also, um, doesn't the ship have its own internet connection? I'm surprised that the filtering practices of the country where you're based are affecting you ... surely you don't allow people on the ship to use random, untrusted connections provided by whatever place you happen to be in?
Anyway, as I said, I'm not American and wouldn't have a clue how the US military operates. But I can tell you this kind of thing would never fly in a government department here.
http://www.goldenfrog.com/vyprvpn
This service, although fairly new, comes from the Giganews / Data Foundry people, who have been around for a long time.
The government already has contractors to handle things like this, call Lockheed Martin or Northrop Grumman, don't ask a multinational use-base how to secure Government communications.
AdmiralAckbarItsATrap.jpeg
This has bad written all over it, and i cant believe its even allowed.
Just dont do it.
---- Booth was a patriot ----
a new startup! (as of today)
And a dedicated room (very very small...) for the computer!
use my company! You can trust me... er, my company.
I like microcars
Well as german company we've far stronger boundries related to data protection then any other company in the USA.
We're specialized in network security as well.
The Broadband in the USA is not realy fast so if you can consider it visit www.mercenary-security.com or send a e-mail to info@
We worked for major american companies like MTV already and assisted them to secure their network.
Pricing is negotiable but if you're at a ship the delay via sat-links is likely more importent.
For the size you're talking about, you'll want to actually negotiate a contract with someone. I use VyperVPN via Giganews, but I'm not sure if they are a US company.
I assume you'll be routing this stuff through Tor (after all, this is exactly why the US Navy _created_ Tor; you can't expose the true location of that ship, dammit.)
I would think you could do a deal with any of the "hotel" network providers (Innflux, AT&T, etc.) to essentially provide that same service -- via VPN -- for your setup.
BTW, I assume this stuff will be going over InMarSat? Remember that's _very_ expensive, so MMO's would probably cost a fortune.
I also don't see how you're going to get approval to drop a network onto a ship without a full-up IA certification from DoD. I've run networks onto military bases, and it's a year or so to get all the approvals in place, even when you're not touching their networks at all.
I understand personal unsecured devices on the DoD network are forbidden, but it's also easy to see where you literally have a boatload full of people with ipads and personal laptops with webcams that want internet access and a connection to family at home.
Creating a second, public-only network is the obvious solution. But given the recent wikileaks-ish concerns, I'm amazed that they are considering anyone else providing this service. It would seem that the logical thing for them to do now is to create a vpn tunnel themselves and run their own endpoints in the states. I can't imagine them not wanting a high degree of control and monitoring of it. The last thing they want is a vpn they can't easily tap into that creates a difficult-to-monitor information pipeline out of a secured environment, even if not directly-connected to the secured network. It's connected indirectly by the entire crew.
This really needs to be done internally, under the control of the military, not farmed out. Think about postal mail and now email. If you're on tour and write a letter back home, and are stupidly saying things you shouldn't, like "so excited to see we're FINALLY going to go to XXX and kick some ass next week!". That gets censored out before it gets to the states of course. Last thing in the world they want is for all the sailors to have a vpn where they have very little or no control over that.
Odds are good that whoever tasked you with this didn't quite understand the can of worms you are attempting to open; just because they're higher rank than you doesn't mean they know the subtleties of what you do. And if it does go through, it won't last long before someone higher up with a more complete understanding puts their foot down, or the press gets ahold of what's going on and has a field day. (or both)
I work for the Department of Redundancy Department.
As a part of the NAVY, don't you need a FIPS certified VPN solution?
Maybe you should call your support desk or talk to your commanding officer?
A LOT of money has been spent by the government to give you a secure environment, with thousands of pages of STIGs to comply with, encryption, and other safeguards.
It sounds like you want to do an end-run around the regulations and security imposed on your shipboard environment. The policies in place have been shaped over the last two decades.
Do you have the slightest idea of the issues involved? We got in trouble for pinging ONCE A REBOOT from PCs that were shipboard (to check to see if they had rejoined the land-side networks), as the Naval side saw it as an attack on their network. There are real bandwidth issues on board a ship, as well as a whole slew of security issues. Just tunneling through a VPN connection is not a solution at all.
You're supposed to build this yourself, because, as the saying goes, loose lips sink ships. You are proposing a non-military access point onto a vessel vested with the task of protecting the interests of the United States. You're asking for a tactical trojan. Security should be your highest concern.
So you need to figure out how to do it in house. That's why you get so much $$$ in the Federal budget. So go spend some of it. We give you the big $$$ because I don't want the good guys protecting me exposed to network vulnerabilities YOU brought on the ship.
Frankly, your question reminds of this post from the other day:
http://tech.slashdot.org/comments.pl?sid=2947355&cid=40496109
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
NOP Data Centers is located on the Olympic Peninsula in Washington and employs people with established DoD credentials.
There are normally 2 sometimes 3 networks on board Navy vessels and each network is totally indapendant of the other with no physical shares.
Rednet: This network is restricted and carries classified material
Greennet: Is restricted, but carries no classified material
Hotsopt/Internet Cafe is open for general use by end user devices
We are happy to provide you free VPN termination for your needs. You're welcome to have us
checked out. US owned, operated, our CEO is the son of a service person, and we support our
armed forces. Contact sales@login.com and we'll set up whatever GRE/IPSEC/other VPN you
want.
Thank you for your service.
Ehud Gavron
Login, Inc.
Tucson AZ US
The military sucks up 1/3 of all discretionary spending by the US every year. We spend more on the military than the entire world combined. One would think all that money, and the Navy could figure out how to do this by their own fucking selves.
Yeah, I know, "support the troops" "USA USA USA"
Be easier to get behind that crap, if it weren't for the military only used for illegal imperialist acts of aggression (in my, and probably most /.'ers lifetimes).
Also be nice if the military wasn't directly competing with education, and trouncing education so badly (if that money were given to the states earmarked for education, instead of wasted on the very bloated military machine). We need to cut education spending (again), so what if Johnny can't read, he can be cannon fodder in the military which just got another 20% increase in budget.
But, "USA USA USA"
I don't know who this guy is, an IT3 would know better. I am having a hard time believing that he would contemplate doing this, or his COC would entertain it.
There is no way USN information assurance policies would support doing this through anything but a US Government service. I have not been on a ship for about 6 years, but back in 2006 the IA policies allowed were comparable to corporate policies. You could do limited personal business on your own time on a not to interfere basis. However, personal devices, VPNs, proxy servers or anything else which shielded your activities from monitoring and oversight were strictly prohibited. The security implications are just unacceptable. I can just imagine people leaving location services turned on and broadcasting the exact position of the ship from their iPad.
Whatever solution you could come up with would still need to use the government satellite connection to get to and from the ship which does not have the bandwidth to support his desires anyway, at least not without interfering with it's intended purpose.
Like many technology items, the Navy contracts them out. HP got a sweet no-bid contract extention (HP bought EDS which originally bid it). Since then they have been charging the tax payer over $2000 a year to provide network connectivity... for EACH WORKSTATION.
http://www.wired.com/dangerroom/2010/08/hp-holds-navy-network-hostage/
http://www.wired.com/dangerroom/2012/02/navy-internet/
In theory the Navy is supposed to start rolling their own stuff, but my guess is since this is on slashdot HP is going to make a big stink about it and shut it down.
Queue the deluge of posts from China indicating what the best VPN to use would be...
After being deployed for nine months aboard a US carrier a few years back I can completely understand where the want for an external network is coming from. I assume you are looking for a in-port solution, at sea this is completely against IT policy. I would get in-touch with the MWR rep they may be able to pull some strings back home.
Nearly a hundred posts, and neither the submitter and only one responder have asked. The presence of the word "ship" leads me to believe we're talking about wireless, combined with "restrictive Internet policies" drives me to the conclusion that this is terrestrial wireless to a local ISP. Submitter should clarify this, because it will directly impact their requirements for latency and bandwidth long before a discussion around VPN providers should occur.
Many myths are descended from truths.
If Slashdot were chemistry it would look like this:Cadaverine
http://www.birdstep.com/english/secure-mobility/safemove-mobile-vpn.aspx
dunno if it's expensive, it should provide a bridge though since that's what you need(apparently, so that your lan games don't route through to usa and back. where safemove is good is that you could install it on the machines and go to a cafe on shore and still be safe, with pretty much zero hassle).
what you want is a service with which you can locate the endpoint in a datacenter you choose, the military probably has some.
buying that endpoint service inside usa is probably going to be peanuts compared to buying the actual bandwidth for those 500-1000 users in some shithole country.
(some people on the thread don't seem to understand that this is the _entertainment_ network with machines separated from the military side, it's pretty much standard practice in any competent military).
world was created 5 seconds before this post as it is.
And do as we did 30 years ago when I was in the Navy. Watch the ships onboard TV network, listen to tapes, listen to the local radio, watch the local tv and have fun trying to figure out what the hell the commercials are advertising (real fun when we were in Japan). Russian TV is entertaining also. Play cards, chess, Backgammon, etc.
I know the Information Assurance (IA) community within the Air Force is somewhat particular with commercial ISPs for moral. There may already be a fix for your problem, however I do understand the difference between the AF and the USN.
Rah! Rah! Liberal media! Liberal myths! Stupid liberals!
This article has to be one of the best trolls to have even been done here on Slashdot. Not only did it get the editors to put it on the front page, but it also has most everyone actually taking it seriously.
First... in the ship is almost impossible to implement a VPN for this proposes... unless the USA military are crazy!
If what you, and your friends, want is to be able to use the "local" internet at other country's, from your personal computers (can you have personal computers? such a fail in security!) you can use something like your own VPN server in a datacenter in USA and connect to it... or rent a service like Pro VPN from hidemyass, or Steganos Internet Anonym VPN.
if i build a ship in canada and put it inthe backyard of a us resident i can say fuck you to hollywood? HAHA stupid americans....tricks are for kids....
instead of wasting my money on streaming pornos why dont u just go back to bukakeing each other in showers, fags
what about USB keyboards / mouses? USB printers? as now days it's getting harder to find PS2 stuff.
Agreed. The US Navy does a lot of great things (some of their disaster work is first-rate, for example, and they also do anti-piracy work and help ensure free navigation), but our armed forces and military policy have also been responsible for a lot of really bad things (allying with armed forces that place zero value on human life, adding to demand for forced prostitution, propping up oppressive regimes).
It's not black and white, and talking points on both sides (insofar as there are only two) have some truth to them.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
I use StongVPN to login from Europe for my household (3 power users) to get Netflix, Hulu, etc. I don't know how this would scale to hundreds of people, but StrongVPN's customer support is very good. Every time I chat with the support staff, there is someone there (24 hours, I am on Paris time), and they have taken care of my problem. They seem to have lots of servers so you could probably get the bandwidth you need. Good luck!
Hmm... I think the issue is how to download porn. There's no reason they cannot, at sea, own an entire library of pirated movies on DVD or blueray, and all the games, so they don't need netflix. Satellite telephone should work in place of skype. But the anonymity of online porn is difficult to provide any other way. It seems like the US Navy should have been thinking of alternatives to "onshore leave" for decades, and after spending $20 billion per year on air conditioning, should have come up with the nicest holodeck porn technology every dreamed of. Then we could release under USA licensing agreements, and pay off the national debt.
Gently reply
It's completely reasonable for you, with orders, to investigate. But if you pull this behind the back of the existing infrastructure maintainers, you could be in a a great deal of trouble for violating security policies that no one here is equipped to help you follow. Contact the IT personnel at your main base, and find out what they've already got in place, and what policies you need to work with.
As a deployed ship, every communications should be encrypted: even casual email to your families about when you're coming back might be considered military intelligence, and I've seen commercial cases where personnel were not _allowed_ to pre-encrypt their communications before it hit the local proxies, precisely so it could be checked for confidential material. I've explained to clients and partners that this allows local monitoring to intercept the communications between their private machines and the proxy, and for anyone who cracks the proxy to read it all, and then they had to factor in _those_ issues.
You're also going to face potential issues with people taking "unsecured" machines for any "social" network and cross-connecting them to secure communications. That's just what the IT personnel at your home base should be able to help you assess. Even if you wind up doing most of the work, keeping them informed will mean that the pitfalls or incompatible tools can be recorded for anyone else who needs to do this.
Another group that might be able to help is the USO: They've been involved in helping communications for active military throughout their existence, and they might be aware of others who've faced just these questions and whom your normal chain of command might not be aware of.
I agree with all those before me that said this is a troll. I would use my real account, but that may get me into hot water.
First off, you are in no legal position to be enabling a VPN from a US Naval Vessel to any location. Not even to your own home port of call.
Second off, if you do this, you deserve to be courtmartialed. So does your commanding officer.
Third, I have worked in various NOCs for the DoD. While the majority of the contractor setups are screwed up in some fashion, there are those of us who DO know our shit, and we will ensure that you are thrown in the brig or the stockade ever so swiftly.
You think we don't know what you do while you are on that ship? SERIOUSLY?
Soldiers need rest and relaxation time between their murdering sprees in the pursuit of imperialism. But what's really pathetic is that they actually bother to follow the laws of local countries, instead of just barging in and doing whatever the fuck they want. What's the point of having a big military to go around and project force, murder people, and seize control of resources, if you're then going to bow down to locals and follow their idiotic little laws? I'm sure the Roman Army never did anything like that; if they wanted something, they just took it. If there was some stupid local law that inconvenienced them, they ignored it and slaughtered anyone who got in the way. When the British Empire during their peak in the 16-1700s sent their Navy ships into foreign ports, do you think they bothered to follow local laws? Hell no. If the locals got mad about the activities of their sailors, the ships would just blast the town with their cannons. The whole point of a military is to use brute force and violence to get your way; if you've decided to take this step, and thus send your military to foreign locales in this pursuit, what is the point of following local laws? Either do it 100% or don't do it at all.
I guess it can be only gulf countries and i'm in one of them right now (most restricted country, hehe). Please take a note, that they are tracking VPN activity, and some countries who block VoIP, can block your VPN too, if they suspect you use it for VoIP. I recommend PCI compliant VPN, to PCI certified hosting, if you want to do banking. E.g. if you want to go serious way, find collocation (PCI compliant!), let's say 1/4 of rack, put there VPN router (also, again,compliant), and your side too. Note, that some services like Netflix, PS3 videos wont work for IP's from hosting, because some people from other countries use this way to get US address, and services are blocking all hosting IP ranges, so you have to test it first.
Sure you can go cheaper way, it won't be compliant, but still very secure. Let me know if you need more information.
Small world. I had no idea you were on slashdot -- we briefly met a few years back for a Thawte notarization.
Anyway, good to know you guys are still around and doing stuff like this.
This post is a fishing trip. The poster is trying to get responses from people in the military that have already done what he seeks, and once he knows what unauthorized networks are being used, he can then locate them and attack them.
After numerous wikileaks excursions, there is no way the government is actually allowing this sort of network on-board ships. This might actually BE the government sniffing out potential leak sources. If any of you troops are considering answering this guy with factual information, think twice, then thrice.
Enjoy your dishonorable discharge for violating military law. (You can't attempt to bypass military security. Period. End of story. Even if a Brig. General orders it. You cannot do it. Fact. Simple. Done.)
Should be 'Might as well write'
Yes! Hi Pete! It sure is too bad Thawte's Trusted Third Party system was taken down
by Verisign. I'm also unexcited that there are no email S/MIME signatures good for more
than 365 days... it's a step backward.
Ehud
The US Government is trusting Slashdot users to determine the wireless/wired VPN configuration aboard a US Navy ship? Are there no policies or procedures in place for selecting a proper provider? Is there no trusted software base in place? VMKnoppix comes to mind as a model of a system the US navy should be using for even the most private use by soldiers. Not to mention it should all be done on military ISP's over military connections/wireless frequencies using military grade multi-layered encryption on software that has been under completely audited review for trustworthiness There is no doubt in my mind such a posting has to have ulterior motives...the alternative is too scary and far reaching to be believed.
See http://www.spi.dod.mil/approach.htm and present your situation. The need for secure and non-secure environments to exist, and function, separately in the same macro-environment, without cross-contamination, is something they should understand, and have interest in developing. I suspect a controlled micro-macro-environment, such as exists on a ship at sea, might be a good development and experimenting environment, for which they might have specific interest.
The SPI people are Air Force, instead of Navy, but what are airplanes except submarines that deploy in a lighter medium? That return to the bottom instead of to the surface...
And I can see it worked very well when you got dragged in long wars ... for example for Vietnam and Afghanistan. It surely did not create any issues at home.
:(
Are you trying to troll, I cannot tell since your argument is quite weak
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
Shipmate, I will throw the flag on this one (you know which flag). On US Naval ships, the physical liberty port (where in the world you are) does not set your firewall (or restrict your access to information on the web). Contact your ISSM and ISSO to learn how www.slashdot.org and other websites can or can't get to your computer screen (and I am sure they will want to know BEFORE you set up an "Entertainment Connection") ... and before you get into trouble or worse get someone hurt. Its folks like you why we have to sit through the same GMT every year telling us stuff we should already know.
As I am sure the good folks of Slashdot will no doubt help you to set up a VPN connection so you can play your WOW or D3... I GUARANTEE YOU nor ANYONE on the ship was commissioned or authorized to set out and find a way to circumvent the internet connection (or policies) provided to the ship or sites you can get to.
"One of the main requirements I was given is that the company has to be trustworthy"
Are you kidding me?? If you take someone on how trustworthy they are because they said so over the internet..wow. Show me the note/instruction/email/whatever telling you to set up this connection. I will kiss your ass on main street and give you an hour to draw a crowd.
We spend millions and millions of dollars on information and operational security... for some bravo foxtrot like you to come along and think you are slick to buck the system. Get off the ship and enjoy the culture... go see something. If not go find your Chief and ask them for something to do.
Loose lips sink ships.
First and foremost as US Army Signal Officer, I'd like to say that you're opening up your entire unit to some major OPSEC issues with this sort of request on Slashdot. To answer your question, the Navy provides SPAWARE Packages that can be requested through your COMMO Section. I would highly recommend you look at this as a secure method of connecting to the internet while overseas. They have packages that will support hundreds of Sailors and is encrypted. It supports skype and even a small package will support multiple calls at once.
Actually, if you read between the lines, I'm advocating for non-interventionism. Militaries are a necessity I'll agree, but they should only be used as a last resort, and when that point comes, then everything else goes out the window. Until that point comes, soldiers should be kept at home, and never deployed anywhere (except for the Navy of course, whose job is to sail around and always has been, but even so, they shouldn't be docking at other countries for very long, maybe long enough for a brief shore leave, and shouldn't be dependent on any resources in those foreign countries). The model the US uses, where it established bases in foreign countries to push US policy but then doesn't actually bother to conquer that country, and even follows the local laws, is just wrong, as it's obviously only being used to help out US-based corporations and not being used to defend US citizens from any actual threat that requires the use of violence.
I've also been a Pair customer for many years. Their support is absolutely fantastic. Unlike many large companies who don't bother to read your questions and just reply with boilerplate, Pair responds quickly and accurately, and follow-ups are quick and easy (email). Sometimes, they've proactively fixed accounts that were at risk due to a security flaw or upgrade.
Rackspace, Amazon, any of the companies that give you a server in a rack on a OC48. Have them install linux and you maintain the VPN install.
You will maintain full control and it will not show up on most nations known VPN blocklists.
Do not look at laser with remaining good eye.
it's a sad day at slashdot when this needs to be said, even more sad when it's moderated up. duh, i can haz internet? please, use the obvious tag next time. so how old are you then?
eg Zscaler
Which uses VPN or Proxy, and also provides security services, such as web filtering/policy enforcement, but according to your network's rules.
Still, over such a long distance, there is likely to be latency issues with any VPN setup; you're making a bad problem potentially worse adding that extra little bit of latency.
I don't think you'll have high-bandwidth media streaming working very well, although there may be some WAN optimization products that could help with that, if only your oganization had network endpoints both in the US and outside the US.........
"I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies.
Ah, so you are in San Diego. Tough shit with the infernal M*FIA IP restrictions.
I would infer that you are using a satellite link to your endpoint in the CONUS. However, VPNs and satellite links have a very antagonistic relationship - they don't play well together. When they do work, the speed drops off radically.
Get a US based VPS service that permits proxying and has decent bandwidth limits and create the VPN yourselves.
How was afghanistan a long war?
You really need to learn the difference between war and occupation.
Vietnam was the last time we didn't whip their ass over night.
Occupations are ALWAYS long term if you actually expect to make a change in a place that has been killing EVERYONE AROUND THEM FOR THOUSANDS OF YEARS.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
The Navy doesn't have any spare capcity in its data centers for this? This seems like another waste of tax payer money by outsourcing something that could clearly be done easier internally.
If you don't have it now then the DoD won't allow it for so many diplomatic and security reasons. I am surprised that you are silly enough to broadcast your intent to try this. I would guess that by tomorrow there will be a memo reinforsing the reasons why you don't do this.
There was an unknown error in the submission.
I will attest, if anyone can figure out how this can be done it would be Ehud and his team at Login. Just Saying :)
NX http://en.wikipedia.org/wiki/NX_technology
http://www.nomachine.com/
First off, no deployed ship has enough bandwidth coming in to support 100 to 500 people streaming video.
US Military ships communications are bounced off satellites above the theater they are in. For Africa, Middle East, and Europe that means you satellite drop location is at Stugart Germany. Once received at the main base there, it is then routed via undersea's cables back to the US and connects to the internet from locations in Virginia and Maryland. Any and All NIPERNet (normal internet unsecured) from US forces using GMF or Ship board satellite would appear to anyone on the internet as coming from California, Washingon, Maryland, or Virginia.
Assuming you have permission
You want a commercial grade VPN for that many users. It’s like a big corporation that has a central office and satellite offices in other cities over a secure intranet, including VOIP. You can engage professional services like CDW to estimate your bandwidth needs and recommend the right sized commercial VPN routers you’ll need between your central office (stateside site, maybe a co-location service like Hurricane Electric or maybe a USN site) and your satellite office (overseas entertainment site for your ship). You’ll be buying from a major US vendor, not rolling your own Slashdot-style. Configure and test it stateside, with the satellite router hooked up to a mockup testbed lan as the satellite office, and with the central office router in its actual place. Then ship the satellite router to your ship and you can plug it in to your local ISP. The local ISP might still block the address of your central office router just because the country’s restrictive policies office says so. Assuming they don’t, you might want a commercial ISP account to get enough bandwidth and a static IP address. My 2 cents: go pro. When the DOD guys find and audit the setup, it’ll look pro and familiar. Sorry, I don't have a recommendation for networking services.
US Navy ships at sea do have internet access, however it is limited.
http://www.navytimes.com/news/2012/04/navy-limited-online-access-stresses-sailors-at-sea-041512w/
Overall bandwidth offboard the ship especially satellite connect bandwidth when at sea is limited. A home cable modem has more external bandwidth that an entire aircraft carrier.
http://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=2298
http://www.defenseindustrydaily.com/US-Navy-Beefs-Up-Commercial-Satellite-Capacity-for-Ships-06128/
http://www.mybluedish.com/blog/surfing-with-the-navy-satellite-internet-style/301440/
I assume he intends to literally toss an Ethernet cable from ship to shore. I bet they do this for electrical power too; why burn fuel if you don't need to? Maybe they even attach water and sewer pipes. They can disconnect if they need to go out to sea, properly if not an emergency or ripping loose if it is an emergency.
it's going to have to share the same satellite link for example
The whole point of this is to avoid the satellite link. He's probably in port, where he can just toss a cable from the ship to the dock. At worst he's close enough to shore for a WiMax link. I'm betting he's in port. He probably also has temporary connections for power, water, and sewer. It's probably like an RV hook-up at an RV campground.
I'm betting this comes out of some morale/entertainment budget. They couldn't afford Madonna, they aren't allowed to use that budget for hookers or alcohol, and thus... the internet.
You can't usefully put more than about 25 devices on a channel. Assuming all the devices are 2.4 GHz, you have at most 3 channels. 75 devices doesn't do the job. If you only connect the VPN endpoint though, then that is just one device and it'll work tolerably OK. Better would be stringing an ethernet cable to the dock. He probably already has a power cable, maybe even water and sewage, so it wouldn't be a big deal. You just unplug it when you go to sea, or rip it loose in an emergency.
It meets all your criteria, supports a broad spectrum of endpoint clients, and the cost is reasonable (including a free option that provides a slice of connectivity each month). I've found its throughput to be fantastic. And it's run on Amazon's servers, so it meets your US-sited criterion. Recommended. https://www.getcloak.com/account/?t=2439D4F97229#share will get you there.
You would think that after Abu Graib you would get a clue. But oh no you can't fix stupid.
Let me explain this step by step. You are breaching the laws of a country where you are a visitor. They don't like that. When they don't like that they kill Americans.
Every time you go walking around pissing on the guest country it kills Americans. Get this into your dumb little boney heads.
You've sold your soul. Die.
If you are asking these questions (they are good questions) this is likely WAY above your pay grade. You need to find the people that know the regs and tech and get them involved. Now. Slashdot is nice but it's nowhere near sufficient and much posted will be simply wrong if you care about your career even when technically correct (and a lot won't be).
...and a random thought: Would setting up WiFi be "interesting" in compartmentalized steel ship?
The number of ways to screw this up (assuming it is even allowed) are mind boggling and there are at least three major categories of ways to screw up: Military, Technical and Political.
Please note you may be opening a can of worms not just with the Navy but the country you are berthed at! There are places where encrypted internet traffic is not looked upon kindly.
The trade offs are non trivial. Having on-ship access means devices are more likely to stay on board, which is a very good thing. Installing high speed internet access can make any data leaks go faster, not a good thing. If you do this you need every t crossed and every i dotted.
This must come up a lot and I guarantee the Navy has a stack of rules somewhere. If you are lucky: self-consistent ones.
They should ask NSA, or at least, someone from the office of Home Land Security, to provide the VPN
That way, NSA can put a close tap on what has been transmitted to and fro the navy vessel
Muchas Gracias, Señor Edward Snowden !
The USA is rank 24 (of 182) for corruption. Only 23 countries are better. Mexico is rank 100. You have no clue about Mexico. See for yourself:
http://en.wikipedia.org/wiki/Corruption_Perceptions_Index
Of course, Afghanistan ties for spot 180 or 181. It's not so much about government; it's a matter of culture. Check out the map. The good parts of the world share the culture of northwestern Europe, with just a few rare exceptions. (the USA, Canada, Australia, and New Zealand all have culture from northwestern Europe)
Chinese corporations are busy mining in Afghanistan, not US corporations. The US only benefits indirectly by lower prices on the world market; if the Chinese use Afghanistan then they might not compete so hard for resources in North America and South America.
1. That someone from the US navy is asking "Slashdot" for advice! Don't they have experts for this? If not then tender a company in security to investigate this.
2. They are allowing any type of personal computers to be linked up. Yes we are in the tech age where everyone has equipment, but if you are posted on a ship, for what ever time scale. You should be using DOD sanctioned equipment to call home etc.
Ok I understand that this is completely separate from the ships systems and network. But can you trust that back ground chatter won't be picked up? What are other people saying? Could you sniff out conversations you should not be hearing? Probably not, but there should be concerns on just assuming we know the best solution for this type of requirement and that this is the place for this question.
I'd say honestly, go to a security adviser and make sure you have ticked all the boxes, have them advise a good VPN provider.
Have fun :)
Ok, you can't trust any of the VPN services. By their nature, they are providing foreign nationals access to an internal US IP to gain access to Netflix.
If you are on a ship, I assume you are using satellite connections. I don't think you have enough bandwidth for Netflix, unless you are in port and wired.
So, the only real answers depend on if you want to be constantly hassled and never have any free time, or you want to pay someone reasonable trustworthy to do this. Your choice, but regardless, you will need $100K in hardware.
a) Deploy OpenVPN yourself on commondity Linux boxes hosted for you somewhere trustworthy. Get your own cage.
b) Pay Cisco to setup a VPN for you, hosted for you somewhere trustworthy. Get your own cage.
I've deployed Nortel VPN boxes that support 5K users. They work, but are far from trouble free.
If it ain't IPSec, it ain't shit. Don't trust another VPN method. SSL is a joke in comparison, PPTP too. IPSec is built-into IPv6, so you may be able to leverage that in some way.
Running 2-10 pfSense boxes should handle the wired bandwidth (1 on each side to start), but you still need to deal with satellite at some point. A few Skype conversations might work over Skype, but with the latency of satellite, use of "over" "over" "over" "out" will be needed.
If you aren't technical enough to know pfSense already, then you probably want to pay Cicso to setup and run this for you.
I'd suggest _not_ to rely on a service provider, nor to a roadwarrior-model. Instead, I suggest to setup an OpenVPN "server" (on a standard Linux system) in your headquarter, in the US. Then you can setup your own OpenVPN server within your ship and let it act as a gateway: all your "ship internal" devices could simply have the OpenVPN box as their gateway, speaking standard IP with it, with no need of VPN software at all. The gateway (your VPN local box) will route _ALL_ the IP traffic inside the VPN-tunnel (you can even "enforce" this, by adding few simple iptables routes to allow _only_ traffic inside the VPN and toward the remote VPN endpoint).
Something needs to be planned regarding the local IP subnets, but this should not be a big problem.
I suggest OpenVPN 'cause it can work with only _ONE_ IP connection, commonly UDP but, if needed, also TCP. This can be a great help if your local Internet provider apply some restrictions (eg: you can run OpenVPN with a UDP/53, TCP/22, TCP/443 connection).
Also, the two OpenVPN servers could authenticate each-other using RSA x509 certificates.
In the end: everything it's free (as in speech and beer), it's open-source (and as such is secure, being OpenVPN a very well-know VPN solution) and, in my opinion, it's perfect for your LANLAN VPN service.
HTH.
Damiano (Verzulli - Italy)
For anyone still reading the drivel these comments has turned into I would like to offer clarifications and corrections before I forget that I ever posted this. 1) this is a civilian network running onto a navy ship for use as entertainment. not sending secrets out, not connecting to military computers, etc. it is there so the crew of sailors missing their significant others can communicate in whatever ever way they choose to communicate *wink wink* 2) r00t was right in saying that it would only be used on the pier. we are literally going to throw a coax cable off the side of the ship (or vice versa) and connect to a cable connection provided on the pier. then it would hit a modem, then a hardware firewall, then a router, then the assembled collection of WAP devices 3) there is no red tape to cut because all of this is coming from MWR (gear) and the crew(pays the internet bill) itself and is actually common practice. I just wanted to go the extra mile and be able to download some Google Books from my rack and have a bit of the feeling of being home. 4) do any of you honestly believe the military could throw you into a prison for posting a comment on how to setup a vpn and suggesting vpn providers to a sailor trying to feel more at home? seriously? I understand a respectful level of paranoia but damn guys. 5) I appreciate some of who responded. I will admit to not reading all of them. I just don't have the time and most of them made my zombie apocalypse paranoia seem as common as athletes foot on a soldier. For those of you who did try to help I just want to say thank you 6) None of it matters - we are using Batelco which likes to raep VPN's, SSH connections, and auto-blocks proxies. yeah.....
Come to Hammas VPN! Best VPN for US Navy ship; we provide best triple-encrypted VPN service.
Note, we are not affiliated with Hamas; we have extra "M" see? Totally different.
seriously shoudln't every ship have a home port to dock to?
i'm sure they restack the ship there with chocolate, potatoes, fuel and whatnot?
why is there not also a VPN server located there? it's like it would cost a gazillion dollars, funny!
If your CEO is the son of a service person, you'd think he'd know the multitude of reasons why what is being requested is highly illegal.
You guys might run a VPN termination point, but you clearly don't understand your business.
The above fact is exactly why people like you aren't allowed to fuck around anywhere near military operations, you don't know what you're doing nor the consequences of your actions. You do not have DoD certification or even apparently know that its required.
You and your company are in no way qualified to provide service to our active military, you'll end up getting people killed.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
For something small scale I might suggest openvpn if there budgetary constraints, or maybe an VPN service for small scale non critical services....
But in this case I'd look into something like a Cisco 5510 at site, and another on base in the USA. Route all outgoing traffic from remote base to home base, route VPN traffic to the net from there.
That solution will provide you much more control and security than a cloud provider. And it would be transparent to the users.
Former IT on a Navy ship that deployed several times. If you are talking about an offship connection you're not going to get it onboard unless you run cable and your command is okay with breaking the rules. If you are talking about getting a VPN through the ships connection that's not going to happen either. You have the regional NOCs that firewall everything you are not allowed to have, including websites and protocols. These are closely monitored and if they spot anything, the ITs will get a naval message quick. Since you don't state your rate, if you are IT and your command is okay with trying to break the rules through the onboard connection that's not going to last long and will end up with someone at mast.
When I was deployed between 05-07 you were not even allowed to have wifi devices onboard. We regularly scanned for them and most often ended up confiscating wireless routers from officer country, the biggest offenders being marine officers. But, whatever you do know that anything done through your ships connection will be seen. And if you're not an IT, realize they do have the authority to confiscate ANYTHING you plug into the ships network that does not belong there, including your personal laptops and gaming consoles.
So much for fighting for freedom of speech and American values..
Seems to me that perhaps the US military is protecting a country that is against human rights and against freedom of speech.
But I am sure this article is trolling. I say this as I can't believe a US warship doesn't already have encrypted Internet channels back to DC. Sounds like a hoax.
Easiest way is for getting a world phone with data capabilities and don't use the local fascist government repression of the peoples systems.
What navy ship are you attached to? I've been on 3 US Navy deployments and we never "deployed" to a country. We were hazy grey and underway if you get my meaning.
I hope that was a properly specced CAT5 cable. Domestic cable releases poisonous fumes when it burns. Cable used in ships and aircraft (especially military ships) should be appropriately rated so that in the event of a fire your brother's network doesn't kill people.
Yup, those private individuals who live aboard boats all the time. There are a number of companies that provide exactly the service you want, complete with anonymizers and end-points in various countries.
THE DIET SOLUTION Stop Dieting...Start Eating...and Start Living 3 Principles 1. Know the exact foods that cause accelerated fat burning in your body 2. Know the particular foods that are preventing fat burning 3. Put the right foods together in a certain way to create the FAT BURNING EFFECT Don’t Worry, this is NOT * Another crash diet * Another crazy diet scam * Another sales pitch for weight loss pills * Another starvation diet BUT this is REAL information you can use RIGHT NOW!! http://ow.ly/bJN9o
From what I hear they are made up of several CIA agents.
Your CO will fully understand! After all, it was made by the US Naval Research Labs..
In the middle east region you should consider the Thuraya IP service as it is the cheapest offering and aimed at providing Internet to communities in areas where there is little or no backhaul. It will still cost a lot though (If it remember correctly around $100/GByte). The Thuraya IP service package has 30GB/month with topups in lumps of 30GB/Month.
If you can commit to a long term contract (1 to 3 years) a better choice would be with Ku band VSAT which can work out as low as $2k-$4k/month per
megabit.
I had to research this recently.
Andy
So many wise-crack replies to the OP.
What about actually answering the question and THEN giving your two cents guys?
Okay, I'll go first then:
STRONGVPN.com
SWISSVPN.com
are my two options.
Then you could have a look at this recent review of VPN providers for further elaboration on this:
http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/
Here is another review site: http://www.vpnhero.com/vpn-reviews/
Good luck on the assignment, and happy surfing!