Slashdot Mirror
Ask Slashdot: VPN Service For a Deployed US Navy Ship?
shinjikun34 writes "I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies. We are currently in the process of setting up an entertainment internet connection for the crew to use in their downtime. I suggested (and was thereby tasked with finding) a VPN service that would support 100 to 500 devices, have an end point inside the continental United States, be reasonably priced, and secure/trustworthy. Something that is safe to use for banking and other financial affairs. Ideally, it would be fast enough to support several VoIP calls (Skype, Google Voice, etc) along side online gaming, with possible movie/music streaming. It will need an end point in the U.S. to allow for use of Google Books, Netflix, Hulu, and other services that restrict access based on region. I, in all honesty, have no idea where to begin searching, and I ask the good folks of Slashdot to aid me in my quest. One of the main requirements I was given is that the company has to be trustworthy. And it has to be a company — computer in someone's closet hosting a VPN isn't acceptable to the Navy. What services would Slashdot recommend? (I understand that our connection without a VN probably won't be able to handle the described load, but I would prefer a VN service that offers capacity above our need. That way when T/S'ing the connection, the VPN can be at least partially ruled out.)"
You would prefer they asked the Geek Squad?
Try Pair.com in Pittsburg, PA. I've been with them for over 16 years now and I've been very happy with their service and support.
Whew! This water sure is cold!
Doesn't the navy has its own Internet structure? Or may you not use that?
The NSA is tasked with securing such communication and you should regardless of classification of data be using their equipment or at least an approved system. In that way you know that you at least are protected from your provider.
Your users shouldn't even know you'd doing jack to their connection except to show as a US IP address. There should be no identifying information that points that IP to any military activity.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Oh don't worry they aren't going to take your word for it.
But as far as doing their homework, gathering opinions and collating data for review, they're asking in one of the right places.
I know Sonic.net offers their customers VPN service, and have a great track record and are a pleasure to work with. I'd call their business/enterprise department and see what kind of bandwidth they can give you in a VPN termination.
However, I hope you're aware of the dangers of having multiple secure and insecure internets in close proximity...I sincerely hope one moron with a patch cable can't bridge the "entertainment" network to anywhere else...frankly I'm surprised this isn't handled by the USN core networking folks already....?
You realize that some of the people reading Slashdot around the world are going to have a vested interest in getting a back door into your affairs, right?
This would be an excellent trap to catch foreign agents.
I would be very wary of doing such things on a government connection. Your C/O better have written off on it officially.
1) Lease a box at a site with reliable, low-cost bandwidth (Somewhere like PhoenixNAP, AtlantaNAP, Rackspace, etc.) - This should run you between $50 - $150/mo for a decent system with several terabytes/mo data transfer (More than enough for Hulu, Netflix, etc.). 2) Make some friends in the Navy IT dept. - Have them help you set up a hosted VPN service on the box in their off time. This will be the lowest cost, most secure, and most reliable service you can get.
Almost all VPN services are fly-by-night ops. Just don't do it. Seriously, they come and go like the wind. I'm sure there are legit and have been around for a long time but it's nigh impossible to vet any of these companies.
Instead find a good hosting providing and rent yourself a server with the amount of bandwidth you need and the location in the US you want (most providers have data centers in various places). For more security I would get a whole machine, not a VPS. Run OpenVPN or whatever on it and you're good to go. It wouldn't need much disk or RAM.
The ratio of people to cake is too big
Not a VPN, but what about a IPv6 tunnel to Hurricane Electric? Much of what you are interested in is IPv6 accessible. And the HE tunnel is free.
Might check and see where the IPv6 anycast address routes to from your location. Might be in a different country.
Anything other than a government controlled VPN would be a dumb move. One step back though, why do you need a VPN? I assume the Navy can get his hands on a decent US IP range and have it routed properly? Even with non-US IP's you can probably get access. Most entertainment companies have good relations with the military - they could provide access as a courtesy.
But seriously... Are there no controls onboard a US Navy vessel that would prevent *anything* that's suggested here from being implemented?
OK I'm not American (I'm Australian), but this whole post elicits a massive "WTF" from me.
If this is a Navy ship, belonging to the world's most powerful military and run and administered by a branch of the US Government, then surely:
a) if this kind of usage of the connection is permitted, the Navy (or other government entity) would have its own infrastructure you could use for this; or
b) if not, there'd already be a clear policy that stated who your preferred providers of such a service would be (having been vetted and cleared for such use by the relevant IT people within the Navy)
I mean, I can't imagine any government department, let alone the Navy, giving some random guy the task of finding and setting up a VPN via whatever means he happened to think was good.
Also, um, doesn't the ship have its own internet connection? I'm surprised that the filtering practices of the country where you're based are affecting you ... surely you don't allow people on the ship to use random, untrusted connections provided by whatever place you happen to be in?
Anyway, as I said, I'm not American and wouldn't have a clue how the US military operates. But I can tell you this kind of thing would never fly in a government department here.
Then respect the laws of that country and don't try to bypass their Internet policies.
Foreign laws don't apply on an American warship, which are considered US territory. I learned this in a very practical sense many decades ago, when I was on an LPH in the South China Sea. We picked up a load of Vietnamese boat people, including a pregnant women. During the stress of the transfer she went into labor, and the baby was born on the deck of our ship. When we returned to Subic Bay, all the refugees were transferred to a refugee camp. Except the woman and her baby. They were taken to the US Naval Hospital, and then flown to the USA. Since the baby had been born on the deck of an American warship (US Territory) it was an American citizen, not a refugee.
Maybe you should call your support desk or talk to your commanding officer?
A LOT of money has been spent by the government to give you a secure environment, with thousands of pages of STIGs to comply with, encryption, and other safeguards.
It sounds like you want to do an end-run around the regulations and security imposed on your shipboard environment. The policies in place have been shaped over the last two decades.
Do you have the slightest idea of the issues involved? We got in trouble for pinging ONCE A REBOOT from PCs that were shipboard (to check to see if they had rejoined the land-side networks), as the Naval side saw it as an attack on their network. There are real bandwidth issues on board a ship, as well as a whole slew of security issues. Just tunneling through a VPN connection is not a solution at all.
We are happy to provide you free VPN termination for your needs. You're welcome to have us
checked out. US owned, operated, our CEO is the son of a service person, and we support our
armed forces. Contact sales@login.com and we'll set up whatever GRE/IPSEC/other VPN you
want.
Thank you for your service.
Ehud Gavron
Login, Inc.
Tucson AZ US
Nearly a hundred posts, and neither the submitter and only one responder have asked. The presence of the word "ship" leads me to believe we're talking about wireless, combined with "restrictive Internet policies" drives me to the conclusion that this is terrestrial wireless to a local ISP. Submitter should clarify this, because it will directly impact their requirements for latency and bandwidth long before a discussion around VPN providers should occur.
You are proposing a non-military access point onto a vessel vested with the task of protecting the interests of the United States.
It's the goddamned internet... You have to hook it up SOMEWHERE . If I could, I'd build a plinth and put this comment on the top and a faceplate under that said "Stupidest Person in IT Award (2012)". I'm gonna go take a shower now... I feel dirty.
#fuckbeta #iamslashdot #dicemustdie
http://www.birdstep.com/english/secure-mobility/safemove-mobile-vpn.aspx
dunno if it's expensive, it should provide a bridge though since that's what you need(apparently, so that your lan games don't route through to usa and back. where safemove is good is that you could install it on the machines and go to a cafe on shore and still be safe, with pretty much zero hassle).
what you want is a service with which you can locate the endpoint in a datacenter you choose, the military probably has some.
buying that endpoint service inside usa is probably going to be peanuts compared to buying the actual bandwidth for those 500-1000 users in some shithole country.
(some people on the thread don't seem to understand that this is the _entertainment_ network with machines separated from the military side, it's pretty much standard practice in any competent military).
world was created 5 seconds before this post as it is.
It's the goddamned SECURITY that is the issue here, dear genius IT person
I guess I just don't see how two computers that have no electrical or wireless connection to one another can intefere with one another in a malicious fashion. Perhaps you could enlighten me, oh Ye of Infinite Knowledge?
#fuckbeta #iamslashdot #dicemustdie
This article has to be one of the best trolls to have even been done here on Slashdot. Not only did it get the editors to put it on the front page, but it also has most everyone actually taking it seriously.
Laws are not deserving of respect.
Yup, exactly. I'd be very surprised if there was a way to set it up so it was 100% guaranteed to be independent of military equipment (it's going to have to share the same satellite link for example), and unless there's a military networking specialist on /. who's happy to talk openly and publicly about their systems...?
The only people who should be setting this up are the people who admin the rest of the networking equipment on board.
Please consider this account deleted, I just can't be bothered with the spam anymore.
Agreed. The US Navy does a lot of great things (some of their disaster work is first-rate, for example, and they also do anti-piracy work and help ensure free navigation), but our armed forces and military policy have also been responsible for a lot of really bad things (allying with armed forces that place zero value on human life, adding to demand for forced prostitution, propping up oppressive regimes).
It's not black and white, and talking points on both sides (insofar as there are only two) have some truth to them.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
I suspect the story is either a total fabrication, or he's trying to get around some local restriction and not get caught.
Either way, i'm suspicious.
---- Booth was a patriot ----
It's completely reasonable for you, with orders, to investigate. But if you pull this behind the back of the existing infrastructure maintainers, you could be in a a great deal of trouble for violating security policies that no one here is equipped to help you follow. Contact the IT personnel at your main base, and find out what they've already got in place, and what policies you need to work with.
As a deployed ship, every communications should be encrypted: even casual email to your families about when you're coming back might be considered military intelligence, and I've seen commercial cases where personnel were not _allowed_ to pre-encrypt their communications before it hit the local proxies, precisely so it could be checked for confidential material. I've explained to clients and partners that this allows local monitoring to intercept the communications between their private machines and the proxy, and for anyone who cracks the proxy to read it all, and then they had to factor in _those_ issues.
You're also going to face potential issues with people taking "unsecured" machines for any "social" network and cross-connecting them to secure communications. That's just what the IT personnel at your home base should be able to help you assess. Even if you wind up doing most of the work, keeping them informed will mean that the pitfalls or incompatible tools can be recorded for anyone else who needs to do this.
Another group that might be able to help is the USO: They've been involved in helping communications for active military throughout their existence, and they might be aware of others who've faced just these questions and whom your normal chain of command might not be aware of.
This VPN sounds like the perfect service for moles to transmit their findings.
This post is a fishing trip. The poster is trying to get responses from people in the military that have already done what he seeks, and once he knows what unauthorized networks are being used, he can then locate them and attack them.
After numerous wikileaks excursions, there is no way the government is actually allowing this sort of network on-board ships. This might actually BE the government sniffing out potential leak sources. If any of you troops are considering answering this guy with factual information, think twice, then thrice.
This really needs to be done internally, under the control of the military, not farmed out.
One of the problems with the US military these days is that they farm out everything they can, usually to expensive no-bid contractors; they're even farming out security and combat work now to mercenaries. I'm really surprised they haven't gone ahead and farmed out even the postal service.
The whole situation is looking a lot like the decline and fall of the Roman Empire, where the empire spent so much money on their bloated military that it basically went broke. At one point, they even had to recruit Barbarians into the ranks of the Roman Army, just to defend against other Barbarian tribes. They also experienced massive inflation by reducing the value of their currency by cutting it with cheaper metals, making people move to the barter system. While during the Pax Romana period they had a highly prosperous economy thanks to an incredible trade network around the entire European and Mediterranean region and impressive (for the time) technological capabilities, during the decline, specialization of labor disappeared, the Empire stopped making any goods of real value and lived by conquering other places and looting them. Sound familiar?
I've also been a Pair customer for many years. Their support is absolutely fantastic. Unlike many large companies who don't bother to read your questions and just reply with boilerplate, Pair responds quickly and accurately, and follow-ups are quick and easy (email). Sometimes, they've proactively fixed accounts that were at risk due to a security flaw or upgrade.
I have bad news for you (and OP)-- no matter what solution you pick, at the end of the day its going to be a computer in someone's closet hosting a VPN.
The only question is whose closet, whose computer, and what type of computer.
Honestly, depending on where you are, getting a cage in a co-lo center like equinox or Hurricane Electric and throwing your own box in there may be the best solution. The "company" becomes "the navy" and "the colo provider", both of which are at the high end of "trust-worthy"-- reputable colos tend to have remarkably good security. Also, since its your cage, you can audit it to your heart's content: no nasty suprises about unpatched vulns or anything.
I was looking into something similar, and Hurricane Electric offers cages with really good connection (gbit plus) for really good pricing. Only limitations are the power (7amps, i think), but if you build your server right (like a xeon E3-1220Lv2 or E3-1260L) you can get a very performant appliance that can handle all the VPN you can throw at it. Personally, Id recommend pfSense if price is a factor, otherwise you could do somethin like a sonicwall or whatever (though they will be several times more expensive and handle several times less traffic than the xeon).
As any US citizen visiting a foreign country, yes. More so if that person has been granted special privileges as a diplomat or US official.
If a citizen of some country needs a VPN to bypass their own corrupt or unjust government, then I'm all for helping them. But its got to be a grass roots effort. None of this CIA sponsored change of government crap.
Have gnu, will travel.
Unless, of course, the OP has been pestering for this for a while and this is the CO's way of saying "I'm not explaining this again, go and find out 'why not' for yourself..."
Please consider this account deleted, I just can't be bothered with the spam anymore.
Even if it's not prevented by technological measures on the ship, you can be damned sure there are a more rules and regulations that he could spend the rest of his military career reading.
The DoD isn't particularly fond of people doing anything with information that they don't have control over.
Even if the DoD didn't like it, anyone with anything resembling security in mind wouldn't want to open up any sort of security risk. Opening an encrypted tunnel to circumvent packet inspection sounds like a wonderful way to bring in viruses, or send out classified materials. And fuck, potentially compromising any systems on a military vessel could be the difference between surviving and losing all hands.
I do have suggestions on good things to use, for civilians, in civilian environments, where it really doesn't matter if they get some malware, or otherwise hose their system. I won't touch this one. I'm allergic to prison, and more so to military prison.
Serious? Seriousness is well above my pay grade.
As others have mentioned, those decisions don't come down to a sailor on a ship. They come from the command. There are miles and miles of red tape,
Others have also mentioned that the military *does* have provisions for such things. In asking for another way around, he's basically saying that he wants to circumvent the security of the ship for undisclosed reasons.
Sure, there are technical ways that we can suggest to monitor the traffic on the ship side of the VPN. The problem here is that he most likely doesn't have the authority (or even real permission) to explore the options. He's most likely going to find himself in some very uncomfortable discussions with some strong penalties threatened.
Serious? Seriousness is well above my pay grade.
it's going to have to share the same satellite link for example
The whole point of this is to avoid the satellite link. He's probably in port, where he can just toss a cable from the ship to the dock. At worst he's close enough to shore for a WiMax link. I'm betting he's in port. He probably also has temporary connections for power, water, and sewer. It's probably like an RV hook-up at an RV campground.
I'm betting this comes out of some morale/entertainment budget. They couldn't afford Madonna, they aren't allowed to use that budget for hookers or alcohol, and thus... the internet.
I'd be very surprised if there was a way to set it up so it was 100% guaranteed to be independent of military equipment (it's going to have to share the same satellite link for example)
If that were the case (sharing), why would they be concerned about the other countries internet laws?!
120 characters ought to be enough for anyone
And why would anyone offer to help circumvent a country's restrictions and/or packet sniffing. Because you don't like the rules and regulations yourself?! It seems the OP is quite ignorant to rules in general. For what it's worth, most telecommunications will let you apply for an exemption to internet restrictions with appropriate justification. The use only by American citizens on a ship flying American flag might be enough.
Often, in other countries with new or government owned infrastructure, subsidize their internet costs/collect their taxes by international voice minutes/telecommunications company profit. Just like some argue the internet should be free - others say the same about water. There are distribution costs and there are some who will abuse the use of resources. In the middle east, international cables often run through unstable regions and shallow waters; cables are held for ransom and cut when the telecommunications companies do not pay. Boat anchors often take out cables accidently. The majority of content is tens of thousands of miles away and the infrastructure is new.
I would be surprised if this isn't modded "-1 I disagree" but sadly we are not yet technically able to share everything and not abuse what we have
120 characters ought to be enough for anyone
The USA is rank 24 (of 182) for corruption. Only 23 countries are better. Mexico is rank 100. You have no clue about Mexico. See for yourself:
http://en.wikipedia.org/wiki/Corruption_Perceptions_Index
Of course, Afghanistan ties for spot 180 or 181. It's not so much about government; it's a matter of culture. Check out the map. The good parts of the world share the culture of northwestern Europe, with just a few rare exceptions. (the USA, Canada, Australia, and New Zealand all have culture from northwestern Europe)
Chinese corporations are busy mining in Afghanistan, not US corporations. The US only benefits indirectly by lower prices on the world market; if the Chinese use Afghanistan then they might not compete so hard for resources in North America and South America.