Slashdot Mirror
Ask Slashdot: VPN Service For a Deployed US Navy Ship?
shinjikun34 writes "I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies. We are currently in the process of setting up an entertainment internet connection for the crew to use in their downtime. I suggested (and was thereby tasked with finding) a VPN service that would support 100 to 500 devices, have an end point inside the continental United States, be reasonably priced, and secure/trustworthy. Something that is safe to use for banking and other financial affairs. Ideally, it would be fast enough to support several VoIP calls (Skype, Google Voice, etc) along side online gaming, with possible movie/music streaming. It will need an end point in the U.S. to allow for use of Google Books, Netflix, Hulu, and other services that restrict access based on region. I, in all honesty, have no idea where to begin searching, and I ask the good folks of Slashdot to aid me in my quest. One of the main requirements I was given is that the company has to be trustworthy. And it has to be a company — computer in someone's closet hosting a VPN isn't acceptable to the Navy. What services would Slashdot recommend? (I understand that our connection without a VN probably won't be able to handle the described load, but I would prefer a VN service that offers capacity above our need. That way when T/S'ing the connection, the VPN can be at least partially ruled out.)"
You would prefer they asked the Geek Squad?
Try Pair.com in Pittsburg, PA. I've been with them for over 16 years now and I've been very happy with their service and support.
Whew! This water sure is cold!
Just create a VM on aws.amazon.com and configure it to your hearts content.
Doesn't the navy has its own Internet structure? Or may you not use that?
The NSA is tasked with securing such communication and you should regardless of classification of data be using their equipment or at least an approved system. In that way you know that you at least are protected from your provider.
Your users shouldn't even know you'd doing jack to their connection except to show as a US IP address. There should be no identifying information that points that IP to any military activity.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Oh don't worry they aren't going to take your word for it.
But as far as doing their homework, gathering opinions and collating data for review, they're asking in one of the right places.
I know Sonic.net offers their customers VPN service, and have a great track record and are a pleasure to work with. I'd call their business/enterprise department and see what kind of bandwidth they can give you in a VPN termination.
However, I hope you're aware of the dangers of having multiple secure and insecure internets in close proximity...I sincerely hope one moron with a patch cable can't bridge the "entertainment" network to anywhere else...frankly I'm surprised this isn't handled by the USN core networking folks already....?
You realize that some of the people reading Slashdot around the world are going to have a vested interest in getting a back door into your affairs, right?
This would be an excellent trap to catch foreign agents.
I would be very wary of doing such things on a government connection. Your C/O better have written off on it officially.
forget online gaming on a ship as the lag is killer and moving from area to area can lead to drop outs.
I'm surprised this is even an option, I recently worked at a remote US government facility and there were heavy filtering requirements in place. Do military regs really allow you to avoid their regular IT controls and policies this way?
At any rate, my first question is are you talking about a physical internet connection while in port, or using a satellite at sea or what? You're talking about supporting an awful lot of users and data through the VPN, but can your basic connection support that?
The ship itself is U.S. territory.
Good-bye
You imperialist murderers.
1) Lease a box at a site with reliable, low-cost bandwidth (Somewhere like PhoenixNAP, AtlantaNAP, Rackspace, etc.) - This should run you between $50 - $150/mo for a decent system with several terabytes/mo data transfer (More than enough for Hulu, Netflix, etc.). 2) Make some friends in the Navy IT dept. - Have them help you set up a hosted VPN service on the box in their off time. This will be the lowest cost, most secure, and most reliable service you can get.
Almost all VPN services are fly-by-night ops. Just don't do it. Seriously, they come and go like the wind. I'm sure there are legit and have been around for a long time but it's nigh impossible to vet any of these companies.
Instead find a good hosting providing and rent yourself a server with the amount of bandwidth you need and the location in the US you want (most providers have data centers in various places). For more security I would get a whole machine, not a VPS. Run OpenVPN or whatever on it and you're good to go. It wouldn't need much disk or RAM.
The ratio of people to cake is too big
Not a VPN, but what about a IPv6 tunnel to Hurricane Electric? Much of what you are interested in is IPv6 accessible. And the HE tunnel is free.
Might check and see where the IPv6 anycast address routes to from your location. Might be in a different country.
Anything other than a government controlled VPN would be a dumb move. One step back though, why do you need a VPN? I assume the Navy can get his hands on a decent US IP range and have it routed properly? Even with non-US IP's you can probably get access. Most entertainment companies have good relations with the military - they could provide access as a courtesy.
Create a VM endpoint in the US on something like Amazon Web Services. Fire up a tunnel (vtund over ssh? openvpn? whatever) from your ship's router to your endpoint, route traffic through it, make sure your local DNS resolves through the tunnel, and call it a day. This way you won't need to tell people to mess around with VPN clients. The fewer moving parts, the better.
This is pretty simplistic though. You need to give us more details. How much bandwidth do you have to play with? What is the expected latency? How much tolerance is there for downtime? How much access control do you need? There are all kinds of additional steps that could make this kind of service more reliable.
Is the OP saying that the Navy doesn't already run a VPN? WTF?
But seriously... Are there no controls onboard a US Navy vessel that would prevent *anything* that's suggested here from being implemented?
How much salt water safe coax can they trail behind the ship? I mean, it can get pretty messy, especially if they go around an island or something. Really, shouldn't the poster have at least considered these basic issues?
No wonder the navy budget is HUGE!!!
OK I'm not American (I'm Australian), but this whole post elicits a massive "WTF" from me.
If this is a Navy ship, belonging to the world's most powerful military and run and administered by a branch of the US Government, then surely:
a) if this kind of usage of the connection is permitted, the Navy (or other government entity) would have its own infrastructure you could use for this; or
b) if not, there'd already be a clear policy that stated who your preferred providers of such a service would be (having been vetted and cleared for such use by the relevant IT people within the Navy)
I mean, I can't imagine any government department, let alone the Navy, giving some random guy the task of finding and setting up a VPN via whatever means he happened to think was good.
Also, um, doesn't the ship have its own internet connection? I'm surprised that the filtering practices of the country where you're based are affecting you ... surely you don't allow people on the ship to use random, untrusted connections provided by whatever place you happen to be in?
Anyway, as I said, I'm not American and wouldn't have a clue how the US military operates. But I can tell you this kind of thing would never fly in a government department here.
Then respect the laws of that country and don't try to bypass their Internet policies.
Foreign laws don't apply on an American warship, which are considered US territory. I learned this in a very practical sense many decades ago, when I was on an LPH in the South China Sea. We picked up a load of Vietnamese boat people, including a pregnant women. During the stress of the transfer she went into labor, and the baby was born on the deck of our ship. When we returned to Subic Bay, all the refugees were transferred to a refugee camp. Except the woman and her baby. They were taken to the US Naval Hospital, and then flown to the USA. Since the baby had been born on the deck of an American warship (US Territory) it was an American citizen, not a refugee.
a new startup! (as of today)
And a dedicated room (very very small...) for the computer!
use my company! You can trust me... er, my company.
I like microcars
I understand personal unsecured devices on the DoD network are forbidden, but it's also easy to see where you literally have a boatload full of people with ipads and personal laptops with webcams that want internet access and a connection to family at home.
Creating a second, public-only network is the obvious solution. But given the recent wikileaks-ish concerns, I'm amazed that they are considering anyone else providing this service. It would seem that the logical thing for them to do now is to create a vpn tunnel themselves and run their own endpoints in the states. I can't imagine them not wanting a high degree of control and monitoring of it. The last thing they want is a vpn they can't easily tap into that creates a difficult-to-monitor information pipeline out of a secured environment, even if not directly-connected to the secured network. It's connected indirectly by the entire crew.
This really needs to be done internally, under the control of the military, not farmed out. Think about postal mail and now email. If you're on tour and write a letter back home, and are stupidly saying things you shouldn't, like "so excited to see we're FINALLY going to go to XXX and kick some ass next week!". That gets censored out before it gets to the states of course. Last thing in the world they want is for all the sailors to have a vpn where they have very little or no control over that.
Odds are good that whoever tasked you with this didn't quite understand the can of worms you are attempting to open; just because they're higher rank than you doesn't mean they know the subtleties of what you do. And if it does go through, it won't last long before someone higher up with a more complete understanding puts their foot down, or the press gets ahold of what's going on and has a field day. (or both)
I work for the Department of Redundancy Department.
Maybe you should call your support desk or talk to your commanding officer?
A LOT of money has been spent by the government to give you a secure environment, with thousands of pages of STIGs to comply with, encryption, and other safeguards.
It sounds like you want to do an end-run around the regulations and security imposed on your shipboard environment. The policies in place have been shaped over the last two decades.
Do you have the slightest idea of the issues involved? We got in trouble for pinging ONCE A REBOOT from PCs that were shipboard (to check to see if they had rejoined the land-side networks), as the Naval side saw it as an attack on their network. There are real bandwidth issues on board a ship, as well as a whole slew of security issues. Just tunneling through a VPN connection is not a solution at all.
But when you are in the US try the best you can to avoid the laws of the that country such as IP laws? Why are extremely restrictive laws in a foreign country more important to follow that much less restrictive laws in your own?
Negative moral value of force outweighs the positive value of good intentions.
We are happy to provide you free VPN termination for your needs. You're welcome to have us
checked out. US owned, operated, our CEO is the son of a service person, and we support our
armed forces. Contact sales@login.com and we'll set up whatever GRE/IPSEC/other VPN you
want.
Thank you for your service.
Ehud Gavron
Login, Inc.
Tucson AZ US
Like many technology items, the Navy contracts them out. HP got a sweet no-bid contract extention (HP bought EDS which originally bid it). Since then they have been charging the tax payer over $2000 a year to provide network connectivity... for EACH WORKSTATION.
http://www.wired.com/dangerroom/2010/08/hp-holds-navy-network-hostage/
http://www.wired.com/dangerroom/2012/02/navy-internet/
In theory the Navy is supposed to start rolling their own stuff, but my guess is since this is on slashdot HP is going to make a big stink about it and shut it down.
The connection over which the data is traveling is not US territory. What's your point?
After being deployed for nine months aboard a US carrier a few years back I can completely understand where the want for an external network is coming from. I assume you are looking for a in-port solution, at sea this is completely against IT policy. I would get in-touch with the MWR rep they may be able to pull some strings back home.
Nearly a hundred posts, and neither the submitter and only one responder have asked. The presence of the word "ship" leads me to believe we're talking about wireless, combined with "restrictive Internet policies" drives me to the conclusion that this is terrestrial wireless to a local ISP. Submitter should clarify this, because it will directly impact their requirements for latency and bandwidth long before a discussion around VPN providers should occur.
You are proposing a non-military access point onto a vessel vested with the task of protecting the interests of the United States.
It's the goddamned internet... You have to hook it up SOMEWHERE . If I could, I'd build a plinth and put this comment on the top and a faceplate under that said "Stupidest Person in IT Award (2012)". I'm gonna go take a shower now... I feel dirty.
#fuckbeta #iamslashdot #dicemustdie
http://www.birdstep.com/english/secure-mobility/safemove-mobile-vpn.aspx
dunno if it's expensive, it should provide a bridge though since that's what you need(apparently, so that your lan games don't route through to usa and back. where safemove is good is that you could install it on the machines and go to a cafe on shore and still be safe, with pretty much zero hassle).
what you want is a service with which you can locate the endpoint in a datacenter you choose, the military probably has some.
buying that endpoint service inside usa is probably going to be peanuts compared to buying the actual bandwidth for those 500-1000 users in some shithole country.
(some people on the thread don't seem to understand that this is the _entertainment_ network with machines separated from the military side, it's pretty much standard practice in any competent military).
world was created 5 seconds before this post as it is.
It's the goddamned SECURITY that is the issue here, dear genius IT person
I guess I just don't see how two computers that have no electrical or wireless connection to one another can intefere with one another in a malicious fashion. Perhaps you could enlighten me, oh Ye of Infinite Knowledge?
#fuckbeta #iamslashdot #dicemustdie
This article has to be one of the best trolls to have even been done here on Slashdot. Not only did it get the editors to put it on the front page, but it also has most everyone actually taking it seriously.
Laws are not deserving of respect.
Yup, exactly. I'd be very surprised if there was a way to set it up so it was 100% guaranteed to be independent of military equipment (it's going to have to share the same satellite link for example), and unless there's a military networking specialist on /. who's happy to talk openly and publicly about their systems...?
The only people who should be setting this up are the people who admin the rest of the networking equipment on board.
Please consider this account deleted, I just can't be bothered with the spam anymore.
what about USB keyboards / mouses? USB printers? as now days it's getting harder to find PS2 stuff.
Agreed. The US Navy does a lot of great things (some of their disaster work is first-rate, for example, and they also do anti-piracy work and help ensure free navigation), but our armed forces and military policy have also been responsible for a lot of really bad things (allying with armed forces that place zero value on human life, adding to demand for forced prostitution, propping up oppressive regimes).
It's not black and white, and talking points on both sides (insofar as there are only two) have some truth to them.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
Then the Navy should provide such a VPN and a secure network channel back to US territory. Depending on a private VPN provider is not a good idea. Aside from trust issues, using one VPN per ship can still provide useful traffic analysis data. Internet traffic from military personnel should look like it comes through one portal, or be randomized so that location data cannot be deduced.
And then there's the issue of VPN security through foreign Internet facilities. Its quite possible that the country you are stationed in has equipment capable of cracking your VPN. Even the evidence that a VPN is in use over their network facilities, where it might be prohibited by their local laws isn't good policy. That's the kind of thing that makes some people mad enough to strap on a bomb
Have gnu, will travel.
Hmm... I think the issue is how to download porn. There's no reason they cannot, at sea, own an entire library of pirated movies on DVD or blueray, and all the games, so they don't need netflix. Satellite telephone should work in place of skype. But the anonymity of online porn is difficult to provide any other way. It seems like the US Navy should have been thinking of alternatives to "onshore leave" for decades, and after spending $20 billion per year on air conditioning, should have come up with the nicest holodeck porn technology every dreamed of. Then we could release under USA licensing agreements, and pay off the national debt.
Gently reply
It's completely reasonable for you, with orders, to investigate. But if you pull this behind the back of the existing infrastructure maintainers, you could be in a a great deal of trouble for violating security policies that no one here is equipped to help you follow. Contact the IT personnel at your main base, and find out what they've already got in place, and what policies you need to work with.
As a deployed ship, every communications should be encrypted: even casual email to your families about when you're coming back might be considered military intelligence, and I've seen commercial cases where personnel were not _allowed_ to pre-encrypt their communications before it hit the local proxies, precisely so it could be checked for confidential material. I've explained to clients and partners that this allows local monitoring to intercept the communications between their private machines and the proxy, and for anyone who cracks the proxy to read it all, and then they had to factor in _those_ issues.
You're also going to face potential issues with people taking "unsecured" machines for any "social" network and cross-connecting them to secure communications. That's just what the IT personnel at your home base should be able to help you assess. Even if you wind up doing most of the work, keeping them informed will mean that the pitfalls or incompatible tools can be recorded for anyone else who needs to do this.
Another group that might be able to help is the USO: They've been involved in helping communications for active military throughout their existence, and they might be aware of others who've faced just these questions and whom your normal chain of command might not be aware of.
This VPN sounds like the perfect service for moles to transmit their findings.
I agree with all those before me that said this is a troll. I would use my real account, but that may get me into hot water.
First off, you are in no legal position to be enabling a VPN from a US Naval Vessel to any location. Not even to your own home port of call.
Second off, if you do this, you deserve to be courtmartialed. So does your commanding officer.
Third, I have worked in various NOCs for the DoD. While the majority of the contractor setups are screwed up in some fashion, there are those of us who DO know our shit, and we will ensure that you are thrown in the brig or the stockade ever so swiftly.
You think we don't know what you do while you are on that ship? SERIOUSLY?
Then respect the laws of that country and don't try to bypass their Internet policies.
Would you have said that if the guy wasn't in the military?
#DeleteChrome
Soldiers need rest and relaxation time between their murdering sprees in the pursuit of imperialism. But what's really pathetic is that they actually bother to follow the laws of local countries, instead of just barging in and doing whatever the fuck they want. What's the point of having a big military to go around and project force, murder people, and seize control of resources, if you're then going to bow down to locals and follow their idiotic little laws? I'm sure the Roman Army never did anything like that; if they wanted something, they just took it. If there was some stupid local law that inconvenienced them, they ignored it and slaughtered anyone who got in the way. When the British Empire during their peak in the 16-1700s sent their Navy ships into foreign ports, do you think they bothered to follow local laws? Hell no. If the locals got mad about the activities of their sailors, the ships would just blast the town with their cannons. The whole point of a military is to use brute force and violence to get your way; if you've decided to take this step, and thus send your military to foreign locales in this pursuit, what is the point of following local laws? Either do it 100% or don't do it at all.
I guess it can be only gulf countries and i'm in one of them right now (most restricted country, hehe). Please take a note, that they are tracking VPN activity, and some countries who block VoIP, can block your VPN too, if they suspect you use it for VoIP. I recommend PCI compliant VPN, to PCI certified hosting, if you want to do banking. E.g. if you want to go serious way, find collocation (PCI compliant!), let's say 1/4 of rack, put there VPN router (also, again,compliant), and your side too. Note, that some services like Netflix, PS3 videos wont work for IP's from hosting, because some people from other countries use this way to get US address, and services are blocking all hosting IP ranges, so you have to test it first.
Sure you can go cheaper way, it won't be compliant, but still very secure. Let me know if you need more information.
Small world. I had no idea you were on slashdot -- we briefly met a few years back for a Thawte notarization.
Anyway, good to know you guys are still around and doing stuff like this.
This post is a fishing trip. The poster is trying to get responses from people in the military that have already done what he seeks, and once he knows what unauthorized networks are being used, he can then locate them and attack them.
After numerous wikileaks excursions, there is no way the government is actually allowing this sort of network on-board ships. This might actually BE the government sniffing out potential leak sources. If any of you troops are considering answering this guy with factual information, think twice, then thrice.
As I said in another post here, the situation strongly resembles the decline and fall of the Roman Empire. Wikipedia has a great article about it here. There's a lot of parallels with the bloated military machine, and the decrease in technical innovation.
Yes! Hi Pete! It sure is too bad Thawte's Trusted Third Party system was taken down
by Verisign. I'm also unexcited that there are no email S/MIME signatures good for more
than 365 days... it's a step backward.
Ehud
God damn Muphry's law...:-/
See http://www.spi.dod.mil/approach.htm and present your situation. The need for secure and non-secure environments to exist, and function, separately in the same macro-environment, without cross-contamination, is something they should understand, and have interest in developing. I suspect a controlled micro-macro-environment, such as exists on a ship at sea, might be a good development and experimenting environment, for which they might have specific interest.
The SPI people are Air Force, instead of Navy, but what are airplanes except submarines that deploy in a lighter medium? That return to the bottom instead of to the surface...
And I can see it worked very well when you got dragged in long wars ... for example for Vietnam and Afghanistan. It surely did not create any issues at home.
:(
Are you trying to troll, I cannot tell since your argument is quite weak
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
Shipmate, I will throw the flag on this one (you know which flag). On US Naval ships, the physical liberty port (where in the world you are) does not set your firewall (or restrict your access to information on the web). Contact your ISSM and ISSO to learn how www.slashdot.org and other websites can or can't get to your computer screen (and I am sure they will want to know BEFORE you set up an "Entertainment Connection") ... and before you get into trouble or worse get someone hurt. Its folks like you why we have to sit through the same GMT every year telling us stuff we should already know.
As I am sure the good folks of Slashdot will no doubt help you to set up a VPN connection so you can play your WOW or D3... I GUARANTEE YOU nor ANYONE on the ship was commissioned or authorized to set out and find a way to circumvent the internet connection (or policies) provided to the ship or sites you can get to.
"One of the main requirements I was given is that the company has to be trustworthy"
Are you kidding me?? If you take someone on how trustworthy they are because they said so over the internet..wow. Show me the note/instruction/email/whatever telling you to set up this connection. I will kiss your ass on main street and give you an hour to draw a crowd.
We spend millions and millions of dollars on information and operational security... for some bravo foxtrot like you to come along and think you are slick to buck the system. Get off the ship and enjoy the culture... go see something. If not go find your Chief and ask them for something to do.
Loose lips sink ships.
First and foremost as US Army Signal Officer, I'd like to say that you're opening up your entire unit to some major OPSEC issues with this sort of request on Slashdot. To answer your question, the Navy provides SPAWARE Packages that can be requested through your COMMO Section. I would highly recommend you look at this as a secure method of connecting to the internet while overseas. They have packages that will support hundreds of Sailors and is encrypted. It supports skype and even a small package will support multiple calls at once.
Actually, if you read between the lines, I'm advocating for non-interventionism. Militaries are a necessity I'll agree, but they should only be used as a last resort, and when that point comes, then everything else goes out the window. Until that point comes, soldiers should be kept at home, and never deployed anywhere (except for the Navy of course, whose job is to sail around and always has been, but even so, they shouldn't be docking at other countries for very long, maybe long enough for a brief shore leave, and shouldn't be dependent on any resources in those foreign countries). The model the US uses, where it established bases in foreign countries to push US policy but then doesn't actually bother to conquer that country, and even follows the local laws, is just wrong, as it's obviously only being used to help out US-based corporations and not being used to defend US citizens from any actual threat that requires the use of violence.
I've also been a Pair customer for many years. Their support is absolutely fantastic. Unlike many large companies who don't bother to read your questions and just reply with boilerplate, Pair responds quickly and accurately, and follow-ups are quick and easy (email). Sometimes, they've proactively fixed accounts that were at risk due to a security flaw or upgrade.
That's largely irrelevant. It's quite possible that (apart from the first and last) two subsequent packets travel through an entirely different set of countries.
So which laws apply? Union? Intersection? Simple majority?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
So you mean that I as an internet user now need to know exactly where and how my packets are routed? Because you claim that if that data travels through a country with different laws, I must follow them.
c++;
Rackspace, Amazon, any of the companies that give you a server in a rack on a OC48. Have them install linux and you maintain the VPN install.
You will maintain full control and it will not show up on most nations known VPN blocklists.
Do not look at laser with remaining good eye.
eg Zscaler
Which uses VPN or Proxy, and also provides security services, such as web filtering/policy enforcement, but according to your network's rules.
Still, over such a long distance, there is likely to be latency issues with any VPN setup; you're making a bad problem potentially worse adding that extra little bit of latency.
I don't think you'll have high-bandwidth media streaming working very well, although there may be some WAN optimization products that could help with that, if only your oganization had network endpoints both in the US and outside the US.........
As any US citizen visiting a foreign country, yes. More so if that person has been granted special privileges as a diplomat or US official.
If a citizen of some country needs a VPN to bypass their own corrupt or unjust government, then I'm all for helping them. But its got to be a grass roots effort. None of this CIA sponsored change of government crap.
Have gnu, will travel.
Not to mention it should all be done on military ISP's over military connections/wireless frequencies
Not if its for personal entertainment purposes. Obviously, devices that connect to this insecure network should not be used for military communications or military data storage, ever, that would be a huge security risk. They should also not be used, if the signals will be compromising.
It does make sense to separate that entertainment stuff and not use the military network for that.
The devices for military communications should never be connectable to the entertainment network, also.
The US Government is trusting Slashdot users to determine the wireless/wired VPN configuration aboard a US Navy ship?
Well, there are worse places they could go ask the question, like uh, 4chan /b/.
Since /. users seem to be exceptionally dense, let me spell it out for you lot. Warships stationed in a foreign port are allowed to do so only at the sufferance of the host country. Activities by said warships while there are heavily scrutinized, for a variety of reasons. Bringing things onto a ship that are not legal in the host country through said host countries terrestrial communications is a good way to create an incident.
"I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies.
Ah, so you are in San Diego. Tough shit with the infernal M*FIA IP restrictions.
MIL: yeah lets ask the guys on slashdot, they could help iam sure SGT: yes sir, good idea sir
I fail to see the problem with this... would you rather they throw billions at Fly-By-Nite-Live-In-Parents-Basement company that does the same thing? Who better to offer solutions than /.?
my karma will be here long after I'm gone
The only people who should be setting this up are the people who admin the rest of the networking equipment on board.
yeah, i wondered about that, beginning of the question sounded like "i'm just some guy trying to get internet for my buddies" and by the end it sounded like it was officially sanctioned and approved? If it's official, they have their own people for that, but regardless the question is still the same.
my karma will be here long after I'm gone
Whoosh!
How was afghanistan a long war?
You really need to learn the difference between war and occupation.
Vietnam was the last time we didn't whip their ass over night.
Occupations are ALWAYS long term if you actually expect to make a change in a place that has been killing EVERYONE AROUND THEM FOR THOUSANDS OF YEARS.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
The Navy doesn't have any spare capcity in its data centers for this? This seems like another waste of tax payer money by outsourcing something that could clearly be done easier internally.
If you don't have it now then the DoD won't allow it for so many diplomatic and security reasons. I am surprised that you are silly enough to broadcast your intent to try this. I would guess that by tomorrow there will be a memo reinforsing the reasons why you don't do this.
There was an unknown error in the submission.
Unless, of course, the OP has been pestering for this for a while and this is the CO's way of saying "I'm not explaining this again, go and find out 'why not' for yourself..."
Please consider this account deleted, I just can't be bothered with the spam anymore.
I will attest, if anyone can figure out how this can be done it would be Ehud and his team at Login. Just Saying :)
Even if it's not prevented by technological measures on the ship, you can be damned sure there are a more rules and regulations that he could spend the rest of his military career reading.
The DoD isn't particularly fond of people doing anything with information that they don't have control over.
Even if the DoD didn't like it, anyone with anything resembling security in mind wouldn't want to open up any sort of security risk. Opening an encrypted tunnel to circumvent packet inspection sounds like a wonderful way to bring in viruses, or send out classified materials. And fuck, potentially compromising any systems on a military vessel could be the difference between surviving and losing all hands.
I do have suggestions on good things to use, for civilians, in civilian environments, where it really doesn't matter if they get some malware, or otherwise hose their system. I won't touch this one. I'm allergic to prison, and more so to military prison.
Serious? Seriousness is well above my pay grade.
> Opening an encrypted tunnel to circumvent packet inspection sounds like a wonderful way to bring in viruses, or send out classified materials.
The (perhaps incorrect) impression I got from the poster was that this isn't for a single computer, but would instead be available to multiple machines and would be used to circumvent a country's restrictions and/or packet sniffing. As there would be network equipment involved before the machines connected to whatever was handling their VPN traffic, the Navy official that was in charge of it could easily set up port mirroring in order to inspect the traffic.
Insert witty
Bringing things onto a ship that are not legal in the host country through said host countries terrestrial communications is a good way to create an incident.
Depends on whether the host nation is one of the 193 ITU members or a signatory of ITU and other treaties. Basically, as a rule, transmitters and sometimes receivers (in closed states) are regulated. Radio waves, by their nature, are not regulated or even "owned" by anyone - this is agreed to by treaty. If the host nation is an ITU member, then as long as the transmitter sticks to the appropriate frequency band and is operated on the ship there's nothing to worry about because, basically, they will have already agreed that it's fine to transmit through their territorial airspace. If the state is advanced enough to care, then it's an ITU member.
http://www.itu.int/cgi-bin/htsh/mm/scripts/mm.list?_search=ITUstates&_languageid=1
From my experience, once someone opens their mouth about a possible way around an issue some officer or higher up doesn't like, that person is there tasked to get it done. Officers don't know all the regulations as well as we'd hope and most of the ones I've known seem to feel they are above the regulations (ship officers get a big head unless on a flagship). I can say with confidence this won't be allowed on the ship even if the OP succeeds. First military inspection will take note of it and demand they take it down before they continue on with the inspection.
As others have mentioned, those decisions don't come down to a sailor on a ship. They come from the command. There are miles and miles of red tape,
Others have also mentioned that the military *does* have provisions for such things. In asking for another way around, he's basically saying that he wants to circumvent the security of the ship for undisclosed reasons.
Sure, there are technical ways that we can suggest to monitor the traffic on the ship side of the VPN. The problem here is that he most likely doesn't have the authority (or even real permission) to explore the options. He's most likely going to find himself in some very uncomfortable discussions with some strong penalties threatened.
Serious? Seriousness is well above my pay grade.
I assume he intends to literally toss an Ethernet cable from ship to shore. I bet they do this for electrical power too; why burn fuel if you don't need to? Maybe they even attach water and sewer pipes. They can disconnect if they need to go out to sea, properly if not an emergency or ripping loose if it is an emergency.
it's going to have to share the same satellite link for example
The whole point of this is to avoid the satellite link. He's probably in port, where he can just toss a cable from the ship to the dock. At worst he's close enough to shore for a WiMax link. I'm betting he's in port. He probably also has temporary connections for power, water, and sewer. It's probably like an RV hook-up at an RV campground.
I'm betting this comes out of some morale/entertainment budget. They couldn't afford Madonna, they aren't allowed to use that budget for hookers or alcohol, and thus... the internet.
You can't usefully put more than about 25 devices on a channel. Assuming all the devices are 2.4 GHz, you have at most 3 channels. 75 devices doesn't do the job. If you only connect the VPN endpoint though, then that is just one device and it'll work tolerably OK. Better would be stringing an ethernet cable to the dock. He probably already has a power cable, maybe even water and sewage, so it wouldn't be a big deal. You just unplug it when you go to sea, or rip it loose in an emergency.
I'd be very surprised if there was a way to set it up so it was 100% guaranteed to be independent of military equipment (it's going to have to share the same satellite link for example)
If that were the case (sharing), why would they be concerned about the other countries internet laws?!
120 characters ought to be enough for anyone
And why would anyone offer to help circumvent a country's restrictions and/or packet sniffing. Because you don't like the rules and regulations yourself?! It seems the OP is quite ignorant to rules in general. For what it's worth, most telecommunications will let you apply for an exemption to internet restrictions with appropriate justification. The use only by American citizens on a ship flying American flag might be enough.
Often, in other countries with new or government owned infrastructure, subsidize their internet costs/collect their taxes by international voice minutes/telecommunications company profit. Just like some argue the internet should be free - others say the same about water. There are distribution costs and there are some who will abuse the use of resources. In the middle east, international cables often run through unstable regions and shallow waters; cables are held for ransom and cut when the telecommunications companies do not pay. Boat anchors often take out cables accidently. The majority of content is tens of thousands of miles away and the infrastructure is new.
I would be surprised if this isn't modded "-1 I disagree" but sadly we are not yet technically able to share everything and not abuse what we have
120 characters ought to be enough for anyone
If you are asking these questions (they are good questions) this is likely WAY above your pay grade. You need to find the people that know the regs and tech and get them involved. Now. Slashdot is nice but it's nowhere near sufficient and much posted will be simply wrong if you care about your career even when technically correct (and a lot won't be).
...and a random thought: Would setting up WiFi be "interesting" in compartmentalized steel ship?
The number of ways to screw this up (assuming it is even allowed) are mind boggling and there are at least three major categories of ways to screw up: Military, Technical and Political.
Please note you may be opening a can of worms not just with the Navy but the country you are berthed at! There are places where encrypted internet traffic is not looked upon kindly.
The trade offs are non trivial. Having on-ship access means devices are more likely to stay on board, which is a very good thing. Installing high speed internet access can make any data leaks go faster, not a good thing. If you do this you need every t crossed and every i dotted.
This must come up a lot and I guarantee the Navy has a stack of rules somewhere. If you are lucky: self-consistent ones.
The USA is rank 24 (of 182) for corruption. Only 23 countries are better. Mexico is rank 100. You have no clue about Mexico. See for yourself:
http://en.wikipedia.org/wiki/Corruption_Perceptions_Index
Of course, Afghanistan ties for spot 180 or 181. It's not so much about government; it's a matter of culture. Check out the map. The good parts of the world share the culture of northwestern Europe, with just a few rare exceptions. (the USA, Canada, Australia, and New Zealand all have culture from northwestern Europe)
Chinese corporations are busy mining in Afghanistan, not US corporations. The US only benefits indirectly by lower prices on the world market; if the Chinese use Afghanistan then they might not compete so hard for resources in North America and South America.
Ok, you can't trust any of the VPN services. By their nature, they are providing foreign nationals access to an internal US IP to gain access to Netflix.
If you are on a ship, I assume you are using satellite connections. I don't think you have enough bandwidth for Netflix, unless you are in port and wired.
So, the only real answers depend on if you want to be constantly hassled and never have any free time, or you want to pay someone reasonable trustworthy to do this. Your choice, but regardless, you will need $100K in hardware.
a) Deploy OpenVPN yourself on commondity Linux boxes hosted for you somewhere trustworthy. Get your own cage.
b) Pay Cisco to setup a VPN for you, hosted for you somewhere trustworthy. Get your own cage.
I've deployed Nortel VPN boxes that support 5K users. They work, but are far from trouble free.
If it ain't IPSec, it ain't shit. Don't trust another VPN method. SSL is a joke in comparison, PPTP too. IPSec is built-into IPv6, so you may be able to leverage that in some way.
Running 2-10 pfSense boxes should handle the wired bandwidth (1 on each side to start), but you still need to deal with satellite at some point. A few Skype conversations might work over Skype, but with the latency of satellite, use of "over" "over" "over" "out" will be needed.
If you aren't technical enough to know pfSense already, then you probably want to pay Cicso to setup and run this for you.
For anyone still reading the drivel these comments has turned into I would like to offer clarifications and corrections before I forget that I ever posted this. 1) this is a civilian network running onto a navy ship for use as entertainment. not sending secrets out, not connecting to military computers, etc. it is there so the crew of sailors missing their significant others can communicate in whatever ever way they choose to communicate *wink wink* 2) r00t was right in saying that it would only be used on the pier. we are literally going to throw a coax cable off the side of the ship (or vice versa) and connect to a cable connection provided on the pier. then it would hit a modem, then a hardware firewall, then a router, then the assembled collection of WAP devices 3) there is no red tape to cut because all of this is coming from MWR (gear) and the crew(pays the internet bill) itself and is actually common practice. I just wanted to go the extra mile and be able to download some Google Books from my rack and have a bit of the feeling of being home. 4) do any of you honestly believe the military could throw you into a prison for posting a comment on how to setup a vpn and suggesting vpn providers to a sailor trying to feel more at home? seriously? I understand a respectful level of paranoia but damn guys. 5) I appreciate some of who responded. I will admit to not reading all of them. I just don't have the time and most of them made my zombie apocalypse paranoia seem as common as athletes foot on a soldier. For those of you who did try to help I just want to say thank you 6) None of it matters - we are using Batelco which likes to raep VPN's, SSH connections, and auto-blocks proxies. yeah.....
If your CEO is the son of a service person, you'd think he'd know the multitude of reasons why what is being requested is highly illegal.
You guys might run a VPN termination point, but you clearly don't understand your business.
The above fact is exactly why people like you aren't allowed to fuck around anywhere near military operations, you don't know what you're doing nor the consequences of your actions. You do not have DoD certification or even apparently know that its required.
You and your company are in no way qualified to provide service to our active military, you'll end up getting people killed.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
So much for fighting for freedom of speech and American values..
Seems to me that perhaps the US military is protecting a country that is against human rights and against freedom of speech.
But I am sure this article is trolling. I say this as I can't believe a US warship doesn't already have encrypted Internet channels back to DC. Sounds like a hoax.
Easiest way is for getting a world phone with data capabilities and don't use the local fascist government repression of the peoples systems.
Yup, those private individuals who live aboard boats all the time. There are a number of companies that provide exactly the service you want, complete with anonymizers and end-points in various countries.
THE DIET SOLUTION Stop Dieting...Start Eating...and Start Living 3 Principles 1. Know the exact foods that cause accelerated fat burning in your body 2. Know the particular foods that are preventing fat burning 3. Put the right foods together in a certain way to create the FAT BURNING EFFECT Don’t Worry, this is NOT * Another crash diet * Another crazy diet scam * Another sales pitch for weight loss pills * Another starvation diet BUT this is REAL information you can use RIGHT NOW!! http://ow.ly/bJN9o
From what I hear they are made up of several CIA agents.
Your CO will fully understand! After all, it was made by the US Naval Research Labs..
In the middle east region you should consider the Thuraya IP service as it is the cheapest offering and aimed at providing Internet to communities in areas where there is little or no backhaul. It will still cost a lot though (If it remember correctly around $100/GByte). The Thuraya IP service package has 30GB/month with topups in lumps of 30GB/Month.
If you can commit to a long term contract (1 to 3 years) a better choice would be with Ku band VSAT which can work out as low as $2k-$4k/month per
megabit.
I had to research this recently.
Andy
So many wise-crack replies to the OP.
What about actually answering the question and THEN giving your two cents guys?
Okay, I'll go first then:
STRONGVPN.com
SWISSVPN.com
are my two options.
Then you could have a look at this recent review of VPN providers for further elaboration on this:
http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/
Here is another review site: http://www.vpnhero.com/vpn-reviews/
Good luck on the assignment, and happy surfing!