Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: VPN Service For a Deployed US Navy Ship?

Posted by Soulskill on from the helps-with-those-call-of-duty-tournaments dept.

shinjikun34 writes "I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies. We are currently in the process of setting up an entertainment internet connection for the crew to use in their downtime. I suggested (and was thereby tasked with finding) a VPN service that would support 100 to 500 devices, have an end point inside the continental United States, be reasonably priced, and secure/trustworthy. Something that is safe to use for banking and other financial affairs. Ideally, it would be fast enough to support several VoIP calls (Skype, Google Voice, etc) along side online gaming, with possible movie/music streaming. It will need an end point in the U.S. to allow for use of Google Books, Netflix, Hulu, and other services that restrict access based on region. I, in all honesty, have no idea where to begin searching, and I ask the good folks of Slashdot to aid me in my quest. One of the main requirements I was given is that the company has to be trustworthy. And it has to be a company — computer in someone's closet hosting a VPN isn't acceptable to the Navy. What services would Slashdot recommend? (I understand that our connection without a VN probably won't be able to handle the described load, but I would prefer a VN service that offers capacity above our need. That way when T/S'ing the connection, the VPN can be at least partially ruled out.)"

30 of 349 comments (clear)

  1. Re:WTF by MachDelta · · Score: 4, Funny

    You would prefer they asked the Geek Squad?

  2. Pair by Frightened_Turtle · · Score: 4, Informative

    Try Pair.com in Pittsburg, PA. I've been with them for over 16 years now and I've been very happy with their service and support.

    --


    Whew! This water sure is cold!
  3. The end point should be run by the military by mrmeval · · Score: 5, Informative

    The NSA is tasked with securing such communication and you should regardless of classification of data be using their equipment or at least an approved system. In that way you know that you at least are protected from your provider.

    Your users shouldn't even know you'd doing jack to their connection except to show as a US IP address. There should be no identifying information that points that IP to any military activity.

    --
    I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
    1. Re:The end point should be run by the military by girlintraining · · Score: 4, Insightful

      The NSA is tasked with securing such communication and you should regardless of classification of data be using their equipment or at least an approved system. In that way you know that you at least are protected from your provider.Your users shouldn't even know you'd doing jack to their connection except to show as a US IP address. There should be no identifying information that points that IP to any military activity.

      If you read between the lines, the poster is saying that this is an entirely separate network where the crew can bring their personal (non work) systems, and it will have no access or visibility to any of the ships systems or network. As such, those requirements go away. The Navy of course wants a US-based company to approach so they can monitor use and make sure that if another Wikileaks happens, they are a phone call away from saying "It was this guy, at this time, on this terminal," and also because US-based company means US-based laws -- and it's harder for a foreign national to penetrate a domestic service than a foreign one, especially after it gets hardened, which falls under the purvue of the DHS, not the NSA, in this case -- since the company is private, not military. And it probably will have cameras in the rec area, as all meeting and confidential areas on the ship do. So let's just go ahead and assume that the security people have already reviewed this and have green-lit it with the appropriate restrictions. They are, afterall, highly trained professionals. -_-

      Remember that aircraft carriers have thousands of personnel, deployed for months at a time with no access to anything but the ship. Entertainment becomes incredibly important for crew morale, and the Navy recognizes the need to balance this; They want to give their crew access to everything you can do on the internet at home on their little slice of the United States afloat. And why shouldn't they?

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:The end point should be run by the military by truesaer · · Score: 4, Informative

      My guess is that the military DOES provide internet access. And it probably allows them to do basic web tasks, etc but does not allow streaming video, VOIP, etc. This is probably because they are on a limited satellite connection and have to guarantee performance for the actual military functions of the ship.

      They also probably have access to Armed Forces radio and television, DVD libraries, etc.

    3. Re:The end point should be run by the military by jittles · · Score: 5, Insightful

      If you read between the lines, the poster is saying that this is an entirely separate network where the crew can bring their personal (non work) systems, and it will have no access or visibility to any of the ships systems or network. As such, those requirements go away.

      I just escaped from the world of contracting for the DoD and I can tell you that there is no such network on any military facility. Trust me. No boat, no ship, not even a storage shed. How do I know? Because I used to work on training simulations, and we wanted to set up things like a private WiFI network, to allow instructors to monitor simulations from a tablet device. Could we do so? No. It's against DoD rules. You can set up a private network, but only if it is wired, and only if it does not go out onto the net. Further, any machine on that network must comply with DoD Information Assurance (IA) rules. Those rules don't let you have USB enabled, you can't even have a USB port accessible on the device, without special authorization and hardening of the OS to disable the port, but allow charging.

      The poster above is absolutely correct. You do not want to be caught setting up this kind of network. You will get in huge trouble if the DoD finds out. All internet access should be going from the ship, to their home port and onto the internet from there. If I were in charge of this boat, I would not do this without an order in writing authorizing me to do so because he's going to get burned if he goes thru with this.

    4. Re:The end point should be run by the military by icebike · · Score: 3, Informative

      I'm amazed that people really trust the OP is in a US Navy ship.

      He said he is using a local ISP for bandwidth. So clearly he is not talking about ON the ship while at sea.

      He is probably talking about dock side encrypted wifi (perhaps bridged to some place onboard).

      He's probably stationed on a tug or service boat, oilers, replenishment ships, repair ship, because it would be pointless to set up something like
      this on a war ship which doesn't spend all that much time in port.

      100 to 500 devices indicates (think cell phones and tablets and the occasional lap top) a crew of something much smaller than a Frigate.
      Even Coast Guard national security cutters tend to have a crew greater than 100.

      --
      Sig Battery depleted. Reverting to safe mode.
    5. Re:The end point should be run by the military by ILongForDarkness · · Score: 4, Funny

      What ever happened to taking turns dressing up as women and having dances?

    6. Re:The end point should be run by the military by whoever57 · · Score: 4, Insightful

      I suspect this is the case. A VPN isn't going to help matters here because the real problem isn't routing, it's bandwidth. I think the OP has his priorities in the wrong order.

      Either the submitter has no clue or you have wrongly guessed abut his situation. Consider the comment about being stationed on a ship that is deployed in a country with restrictive Internet policies. If the US Navy were providing the Internet connection that they hoped to used, why would the country's Internet policies be relevant to the question? I assume that there is an Internet connection being provided via a shore-based ISP and it is snooping and restrictions on the use of the shore-based ISP that they would like to bypass using a VPN.

      --
      The real "Libtards" are the Libertarians!
    7. Re:The end point should be run by the military by jo_ham · · Score: 4, Funny

      Likely you've never left CONUS for any length of your life at all.

      Amusing. I was born and live in the UK.

      I think that's outside "CONUS" as far as I remember? I mean, we have universal healthcare and everything.

    8. Re:The end point should be run by the military by jbolden · · Score: 4, Informative

      Do you think the Roman Legionnaires followed local laws they disagreed with in the many lands they conquered? Of course not,

      Actually in general they did. The Roman legions set up all sorts of barriers to prevent Roman troops from offending local custom. It also slowed down the rate at which Roman soldiers "went native" and ended up with mixed loyalties. Which is essentially the policy and model the US follows today.

    9. Re:The end point should be run by the military by David-D2 · · Score: 3, Informative

      DoD policies on military quarters should apply to quarters on a Navy ship as well. I am not in COM or anything like that, but I live on an Air Force base and I know the DoD does allow private internet connections. The restrictions you are talking about only apply to DoD information systems. If you are creating a network independent of the installation's connectivity and use it for hosting any technical data or as a subsystem to supplement a DoD system, the rules you stated apply. If it is for personal reasons and nothing to do with DoD information technology, the Information Assurance guidelines do not apply.

    10. Re:The end point should be run by the military by Capt.+Skinny · · Score: 4, Funny

      My brother and the other guys in his shop ran their own CAT5 throughout several shops on his carrier so they could game on their personal PCs -- some of them even brought desktops on board.

    11. Re:The end point should be run by the military by belmolis · · Score: 4, Informative

      The Romans and the Mongols generally operated on different models. The Mongol approach was to overcome resistance by terror. In the absence of some prior dispute, when they came to a city they asked that it submit to them. If it did not, and they succeeded in capturing it, as they usually did, they were brutal: they would generally kill all of the men of military age and the elderly. Younger women and children would often be enslaved and if not, killed. The city would be looted. If, however, the city capitulated, they were actually pretty nice. They would take control but otherwise largely leave things as they were.

      The Mongols were tough and prepared to be brutal, but they were not mere bandits, and they were not a mob. The Mongol Empire was well organized, with an excellent courier system and the rule of law. Unlike contemporary European countries, they were religiously tolerant (except for the Ilkhans, in Persia, after 1295 when they converted to Islam.) The Mongol legal code, the Yassa, was, from what survives of it, pretty reasonable for its time.

  4. Re:WTF by Anonymous Coward · · Score: 4, Insightful

    Oh don't worry they aren't going to take your word for it.
    But as far as doing their homework, gathering opinions and collating data for review, they're asking in one of the right places.

  5. Build your own - not at someone's house though. by KingRobot · · Score: 3, Insightful

    1) Lease a box at a site with reliable, low-cost bandwidth (Somewhere like PhoenixNAP, AtlantaNAP, Rackspace, etc.) - This should run you between $50 - $150/mo for a decent system with several terabytes/mo data transfer (More than enough for Hulu, Netflix, etc.). 2) Make some friends in the Navy IT dept. - Have them help you set up a hosted VPN service on the box in their off time. This will be the lowest cost, most secure, and most reliable service you can get.

  6. Re:WTF by homey+of+my+owney · · Score: 3, Insightful

    But seriously... Are there no controls onboard a US Navy vessel that would prevent *anything* that's suggested here from being implemented?

  7. What the... by Cimexus · · Score: 4, Insightful

    OK I'm not American (I'm Australian), but this whole post elicits a massive "WTF" from me.

    If this is a Navy ship, belonging to the world's most powerful military and run and administered by a branch of the US Government, then surely:

    a) if this kind of usage of the connection is permitted, the Navy (or other government entity) would have its own infrastructure you could use for this; or

    b) if not, there'd already be a clear policy that stated who your preferred providers of such a service would be (having been vetted and cleared for such use by the relevant IT people within the Navy)

    I mean, I can't imagine any government department, let alone the Navy, giving some random guy the task of finding and setting up a VPN via whatever means he happened to think was good.

    Also, um, doesn't the ship have its own internet connection? I'm surprised that the filtering practices of the country where you're based are affecting you ... surely you don't allow people on the ship to use random, untrusted connections provided by whatever place you happen to be in?

    Anyway, as I said, I'm not American and wouldn't have a clue how the US military operates. But I can tell you this kind of thing would never fly in a government department here.

  8. Re:When in Rome ... by ShanghaiBill · · Score: 5, Interesting

    Then respect the laws of that country and don't try to bypass their Internet policies.

    Foreign laws don't apply on an American warship, which are considered US territory. I learned this in a very practical sense many decades ago, when I was on an LPH in the South China Sea. We picked up a load of Vietnamese boat people, including a pregnant women. During the stress of the transfer she went into labor, and the baby was born on the deck of our ship. When we returned to Subic Bay, all the refugees were transferred to a refugee camp. Except the woman and her baby. They were taken to the US Naval Hospital, and then flown to the USA. Since the baby had been born on the deck of an American warship (US Territory) it was an American citizen, not a refugee.

  9. Login, Inc. Tucson AZ by gavron · · Score: 5, Interesting

    We are happy to provide you free VPN termination for your needs. You're welcome to have us
    checked out. US owned, operated, our CEO is the son of a service person, and we support our
    armed forces. Contact sales@login.com and we'll set up whatever GRE/IPSEC/other VPN you
    want.

    Thank you for your service.

    Ehud Gavron
    Login, Inc.
    Tucson AZ US

  10. What is the physical layer? by rogueippacket · · Score: 3, Insightful

    Nearly a hundred posts, and neither the submitter and only one responder have asked. The presence of the word "ship" leads me to believe we're talking about wireless, combined with "restrictive Internet policies" drives me to the conclusion that this is terrestrial wireless to a local ISP. Submitter should clarify this, because it will directly impact their requirements for latency and bandwidth long before a discussion around VPN providers should occur.

  11. What an AWESOME TROLL by utkonos · · Score: 5, Insightful

    This article has to be one of the best trolls to have even been done here on Slashdot. Not only did it get the editors to put it on the front page, but it also has most everyone actually taking it seriously.

  12. Re:WTF by History's+Coming+To · · Score: 3, Informative

    Yup, exactly. I'd be very surprised if there was a way to set it up so it was 100% guaranteed to be independent of military equipment (it's going to have to share the same satellite link for example), and unless there's a military networking specialist on /. who's happy to talk openly and publicly about their systems...?

    The only people who should be setting this up are the people who admin the rest of the networking equipment on board.

    --
    Please consider this account deleted, I just can't be bothered with the spam anymore.
  13. Re:No internet for you! by Oxford_Comma_Lover · · Score: 4, Insightful

    Agreed. The US Navy does a lot of great things (some of their disaster work is first-rate, for example, and they also do anti-piracy work and help ensure free navigation), but our armed forces and military policy have also been responsible for a lot of really bad things (allying with armed forces that place zero value on human life, adding to demand for forced prostitution, propping up oppressive regimes).

    It's not black and white, and talking points on both sides (insofar as there are only two) have some truth to them.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
  14. Phish on! by Anonymous Coward · · Score: 4, Interesting

    This post is a fishing trip. The poster is trying to get responses from people in the military that have already done what he seeks, and once he knows what unauthorized networks are being used, he can then locate them and attack them.

    After numerous wikileaks excursions, there is no way the government is actually allowing this sort of network on-board ships. This might actually BE the government sniffing out potential leak sources. If any of you troops are considering answering this guy with factual information, think twice, then thrice.

  15. Re:Pair -- good choice by Anonymous Coward · · Score: 3, Informative

    I've also been a Pair customer for many years. Their support is absolutely fantastic. Unlike many large companies who don't bother to read your questions and just reply with boilerplate, Pair responds quickly and accurately, and follow-ups are quick and easy (email). Sometimes, they've proactively fixed accounts that were at risk due to a security flaw or upgrade.

  16. Re:WTF by History's+Coming+To · · Score: 4, Insightful

    Unless, of course, the OP has been pestering for this for a while and this is the CO's way of saying "I'm not explaining this again, go and find out 'why not' for yourself..."

    --
    Please consider this account deleted, I just can't be bothered with the spam anymore.
  17. Re:WTF by JWSmythe · · Score: 4, Insightful

        Even if it's not prevented by technological measures on the ship, you can be damned sure there are a more rules and regulations that he could spend the rest of his military career reading.

        The DoD isn't particularly fond of people doing anything with information that they don't have control over.

        Even if the DoD didn't like it, anyone with anything resembling security in mind wouldn't want to open up any sort of security risk. Opening an encrypted tunnel to circumvent packet inspection sounds like a wonderful way to bring in viruses, or send out classified materials. And fuck, potentially compromising any systems on a military vessel could be the difference between surviving and losing all hands.

        I do have suggestions on good things to use, for civilians, in civilian environments, where it really doesn't matter if they get some malware, or otherwise hose their system. I won't touch this one. I'm allergic to prison, and more so to military prison.

    --
    Serious? Seriousness is well above my pay grade.
  18. Re:WTF by JWSmythe · · Score: 3, Insightful

        As others have mentioned, those decisions don't come down to a sailor on a ship. They come from the command. There are miles and miles of red tape,

        Others have also mentioned that the military *does* have provisions for such things. In asking for another way around, he's basically saying that he wants to circumvent the security of the ship for undisclosed reasons.

        Sure, there are technical ways that we can suggest to monitor the traffic on the ship side of the VPN. The problem here is that he most likely doesn't have the authority (or even real permission) to explore the options. He's most likely going to find himself in some very uncomfortable discussions with some strong penalties threatened.

    --
    Serious? Seriousness is well above my pay grade.
  19. no satellite link by r00t · · Score: 4, Interesting

    it's going to have to share the same satellite link for example

    The whole point of this is to avoid the satellite link. He's probably in port, where he can just toss a cable from the ship to the dock. At worst he's close enough to shore for a WiMax link. I'm betting he's in port. He probably also has temporary connections for power, water, and sewer. It's probably like an RV hook-up at an RV campground.

    I'm betting this comes out of some morale/entertainment budget. They couldn't afford Madonna, they aren't allowed to use that budget for hookers or alcohol, and thus... the internet.