I have been asked by some people with whom I am working to remotely access their intranet. The primary reason is for me to have access to their library portal. Mostly I would be downloading PDFs and graphics.

This is a VPN connection. I know very little about VPNs. Hence I am surfing the web for more information.

The company network is all Windows using the Juniper client software for remote access. The library portal requires the Java run-time engine.

Company policy requires allowing virus scanning on client machines.

Whereas the people in the host network have standing to protect their systems, I have standing to protect my systems. If virus scanning is allowed then the server side computers pretty much have access to the entire client machine.

Therefore I am hoping to use a bare-bones Windows VirtualBox machine (VM) as my VPN client.

Although I have no reason to suspect the other people from rooting my virtual machine, or performing malicious or shenanigan acts, I no less want to protect myself. I have no idea what the people at the other end might install or try to scan or snoop. Common sense stuff.

1. Which type of network mode for the VM? NAT? NAT with port forwarding? Bridged? Host-only? I am using bridged connections for all of my current VMs because I want all of my current VMs to connect to one another and my host machine. I can't change those settings. Yet I don't want this new VM connecting to anything but the VPN. I do not want the possibility of anything in the VPN accessing my host machine or other VMs.

2. After I finally establish and test the connection, should I create a snapshot from which I always start the VM or am I being too paranoid?

3. Will a VM be too slow for a VPN client? Seems there are several network interface layers involved. Would a separate stand-alone physical machine be a better option?

4. What other VPN security concerns should I be aware?

I use VirtualBox 3.2.12 OSE. My VMs run on a Slackware 13.1 host. My host machine is behind a Linksys WRT54GL 1.1 router/switch, which connects to the ISP CPE.

Thanks much!

Best thing I could suggest is to tell them that you run Linux, then ask them how, exactly, they plan to run a scan on your system. The Juniper client (from the little I've read), runs on Linux. Might be that when you tell them you're using Linux, they'll go, "Oh, well then we can't scan your box, since anything you have won't affect our systems, so go ahead". If they persist, then tell them to purchase you a Windows machine for the sole purpose of accessing their VPN.

My experience with VPNs and virus scanning has been that the company does not run a virus scan on your machine, but it does run an applet that verifies a virus scanner is installed and active on your machine. Running a virus scan from the server which performs a full system scan of your machine could be a HORRIBLE network bottleneck issue, so it's really not a good idea. It would also represent a huge user impact to access the network, and the big brass would put a stop to those shenanigans the first time they try to check their email.

Check with the company InfoSec staff.

1 members found this post helpful.

Not really an option. The network is their property. If I agree to access their systems then I abide by their policies, not mine.

Besides, I simply do not want any outside access to my personal computer. I can tolerate providing access to a bare-bones virtual machine as long as I am certain that machine is sandboxed.

I have already raised that option.

Ah, that makes more sense. I'll guess the Juniper client is the mechanism through which those system checks are made. I might have a problem with that as I don't have any such software, even for a bare-bones virtual machine. I don't want to waste money on something like that.