Setting up a Canadian proxy server

[Percula]

[ QUOTE ]
1) what program/hardware device checks to make sure such contact can only take place through the VPN and not otherwise?

[/ QUOTE ]
This is primarily a function of routing. When the VPN client is connected and properly configured, all Internet traffic will use the VPN as the default gateway, i.e. any non local traffic will use the VPN.

The problem is that it is possible for the VPN connection to fail/drop or otherwise become unusable. This is where having a firewall (software or hardware based) comes into play, by not allowing the poker client software (or any software for that matter) to connect thru the normal Internet connection.

[ QUOTE ]
Also another question: can one with such a dedicated VPN server use just a software firewall on the PC and/or VPN server to make sure that no communication with the net takes place except through the VPN (as with Norton firewall for example), or is other hardware required? If so what other hardware?

[/ QUOTE ]

Yes, just the VPN client and a software based firewall are all that are needed at a minimum. For the average Poker Joe this would be "OK". However for anyone that has significant funds in play on the Internet, this is just asking for trouble. I could not recommend this type of solution for a mid or high stakes player.

[BluffTHIS!]

Percula,

How for example do you configure Norton's firewall to only allow routing through the VPN? I know how to configure for individual programs and whether they are permitted or not, but what options there do you use to make sure traffic only goes through the VPN?

Also regarding your last statement, are you in fact saying software only options can't insure 100% that a program like a poker client, never connects except via the VPN when the VPN goes down? Or are you saying they can, but there are other dangers not related only to that?

Thanks

[Freakin]

[ QUOTE ]
Percula,

How for example do you configure Norton's firewall to only allow routing through the VPN? I know how to configure for individual programs and whether they are permitted or not, but what options there do you use to make sure traffic only goes through the VPN?

Also regarding your last statement, are you in fact saying software only options can't insure 100% that a program like a poker client, never connects except via the VPN when the VPN goes down? Or are you saying they can, but there are other dangers not related only to that?

Thanks

[/ QUOTE ]

this is really not as hard as ya'll are making it.

every decent firewall should have some sort of rule-based system.

1st rule) Allow traffic to the VPN server on all ports and protocols
2nd Rule) block all traffic on the local area connection that accesses the internet

[Percula]

[ QUOTE ]
Percula,

How for example do you configure Norton's firewall to only allow routing through the VPN? I know how to configure for individual programs and whether they are permitted or not, but what options there do you use to make sure traffic only goes through the VPN?

[/ QUOTE ]

I am not going to be able to walk you step by step thru the config as I dont use that application. However, what you need to do, assuming the Norton firewall is capable of it, is to create rules that say...

Only allow traffic out of this PC thru the VPN adapter and deny everything else.

If it does not allow for this type of rule creation you will have to find another product to use.

[ QUOTE ]
Also regarding your last statement, are you in fact saying software only options can't insure 100% that a program like a poker client, never connects except via the VPN when the VPN goes down? Or are you saying they can, but there are other dangers not related only to that?

Thanks

[/ QUOTE ]

Other dangers in addition to the firewall application its self failing which could happen, but is less likely if not "played" by uneducated users on a regular basis. A hardware based solution is more reliable.

With all the posts you see from people that have been hacked; I just can not fathom why a mid/high stakes player with hundreds of thousands or even millions of dollar accessible thru their PC in the form of poker sites, online bank accounts, online savings and brokerage accounts, etc, does not spend the money for the best security... Especially when you are talking about only a few buyins for a high stakes player versus the risk of losing significant parts or a total lose of those funds, wow, it just blows my mind. I have seen small mom and pop sized businesses that wont make as much in five years as a high stakes player does in one year with better security than most of these players have or at least seem to indicate what they have.

[BiPolar_Nut]

BluffThis:

Are you getting a better picture now or still confused? Drop the "2 step process" thinking. Like Perc said, that is basic routing. Applications don't decide what connection to use. They just spit out their request to use the network to the OS. The OS replies, "okay, I'll let the network know", if the VPN is up, it gets a VPN address as the "From" IP. If the VPN is down it gets the non-VPN address as the "from". This is all handled transparently to the user, and the application making the network request has no choice in the matter. There is only one step...and that is when the traffic hits the firewall during it's attempt to leave the machine. The firewall checks it's FROM address...if it's a VPN address then it's allowed to cruise out the VPN tunnel and eventually hit the internet from the remote VPN server. If the FROM address is not a VPN address, then the firewall says No and the data never leaves.

That's not 100% technically accurate, but prolly the easiest way to explain it without explaining a bunch of kernel level and TCP/IP stack stuff that'd just be more confusing.

[BluffTHIS!]

Guys,

Thanks again for the explanation. I think I do understand it now, and the question is really one as mentioned above, whether a software firewall in fact is configurable to set a rule regarding VPN traffic, and from my exploration of Norton's at least, I'm not sure it is, but that might be because it involves the advanced networking settings of which I'm ignorant.

Percula,

While you are correct about the cost of a hardware solution being not so many buyins, I am still interested in what exactly it provides that software solutions can't, and how likely an unlikely situation with same actually is. I don't mind spending the bucks if necessary, assuming I ever go this route (don't have to for now anyway), but if I am knowledgeable enough not to make an error on my side, I am probably unwilling to insure against a 1000-1 shot, unless I am undergoing that longshot every day I play and thus undergoing an additive probability of such occurring in the space of a year or two. Also relevant is the fact that I would only keep so many buyins on any individual site anyway, with the bulk of my roll being in a bank account or online funding vehicle.

[Percula]

[ QUOTE ]
Percula,

While you are correct about the cost of a hardware solution being not so many buyins, I am still interested in what exactly it provides that software solutions can't, and how likely an unlikely situation with same actually is. I don't mind spending the bucks if necessary, assuming I ever go this route (don't have to for now anyway), but if I am knowledgeable enough not to make an error on my side, I am probably unwilling to insure against a 1000-1 shot, unless I am undergoing that longshot every day I play and thus undergoing an additive probability of such occurring in the space of a year or two. Also relevant is the fact that I would only keep so many buyins on any individual site anyway, with the bulk of my roll being in a bank account or online funding vehicle.

[/ QUOTE ]

I think the current state of hacking poker players is at the stage where some are targeted, but mostly by script kiddies (read not all that good at it). Those that are not targeted specifically are being sucked into other scams that eventually lead to them being identified as a poker player and then targeted for that.

My concern is the money. As it stands right now, there aren't too many 6 and 7 figure value targets on the Internet. The two primary ones are online brokerage accounts and HS/MS poker players. With a poker player you are somewhat likely to hit a double or home run finding not only money on poker sites, but also in ewallets/payment processors, online banks, and brokerage accounts. Often these people are well, smart, but inexperienced or just plain ignorant of the threats they are facing.

With these more or less easily identifiable HS players, it is just a matter of time (if it hasn't already happened) before they are the targets of the real pros of hacking.

A lot of the problem with security is user ignorance/education and behavior modification. But the bottom line is everyone makes mistakes, and sometimes that's all it takes to have a major breach. So you try to design the security system in such a way as to minimize the effects of a mistake while at the same time providing a high level of security.

There was a post here a couple of weeks ago, about the same time as Jared was posting about getting hacked titled something like "This is how I would steal all your money" or something like that. The person posting that did not get a lot of attention and was kind of blown off. Which in my professional opinion is a mistake.

I will continue this post later, got to run for now...

[jaminbird]

here is a nice link with some additional background for people like me who are not familiar with vpn's http://computer.howstuffworks.com/vpn.htm

[Percula]

OK, back now...

Let's talk about security for a moment.

There are two ways a hackers is going to get into your PC to steal your money.

1) Direct penetration. This is where the hacker is going to attack and try to exploit a weakness in the device that is fronting your Internet connection. This is not easy, at least with a commercial grade hardware firewall. With a software based firewall, it is a matter of how well it works and if it is working at all. Exposing a naked XP PC to the Internet, especially on a broad band connection is almost a sure thing that it will be taken over within 24-48 hours.

2) Indirect penetration. This one is the hard one to protect against. Indirect penetration is using the user against themselves. Sometimes its social engineering or down right scamming. Sometimes its exploiting a flaw in the users software, like someone finding a Zero Day flaw and exploiting it before anyone knows to or even how to protect against. After the host is taken over, the nasty stuff is install, common for this would be key loggers, screen scrapers, remote control software, etc.

There are also some glaring security issues with the poker sites themselves. The first is that poker sites have tied the screen name that everyone sees as you play to your account name where you control your money. This leaves the high profile player a potential target for a brute force attack on the poker account its self. I hear that PS has taken the step of locking out an account after X number of failed loggin attempts, which is a step in the right direction, but is still not enough to stop a brute force attack, especially with many brute force scripts now using pauses to defeat this type of measure, as you have to have a timeout on the number of tries before resetting to zero again.

Second they do not require strong passwords, and they do not expire passwords. Secure tokens would go a long ways to stopping both of these issues and frankly if PayPal can do it for <$10 then PS, FTP, UB, etc can do it too.

So to make this novel even longer... Here is my formula for securing a poker machine.

1) Using a linux host that has the minimum install, plus Samba for windows file sharing and PostgreSQL for PT, etc. All drives are locked down so you can not just stick a USB drive, floppy or CD/DVD and use it. Install VMWare with XP Pro as a guest OS. Configure VMWare to revert on each power cycle.

Why... Linux by its nature does not run windows software. The vast majority of programs a hacker would use to log keystrokes or scrape screen, remotely control the machine simply will not run on linux. We are isolating the XP system from the linux system, but if something did get on the linux box, it will pose little or no danger. You need a windows compatible file share to write your hand histories and other files that you need to retain the data that changes from session to session, e.g. PAHUD cache, layouts, etc.

When the VMWare guest is powered down, it does a series of things. First it copies those ever changing files to the file share on the linux host. Next is reverts back to a "snapshot". The snapshot is a point in the configuration and use of the OS. So lets play devils advocate for a second. Let's say somehow someway something gets installed on the guest XP OS. It could be a key logger, etc, doesn't really matter. It wasn't there before the power up. So since our snapshot was taken on a clean OS, when we power down, we remove any change to the OS, including anything nasty. On the next power up, we revert to our clean snapshot and copy back the ever changing files like the PAHUD cache.

The poker PC, is never ever used for anything but playing poker and conducting online account management.

Here is the problem with this system... It is too difficult to copy the changes from say a updating AV program or even OS updates. So we need user intervention to make sure that we are keeping the OS, AV, etc up to date and creating snapshots after each update. As soon as you are relying on the user to preform you are adding a risk factor....

2) I use a commercial grade hardware based firewall that can support a "DMZ" port. I am going to use the DMZ port to isolate the poker PC from any other PC's at the site. I would use the standard LAN port of the firewall for all other PC's, etc that need network access.

I then create firewall rules that prevent the communication to/from the poker PC and the other PC's.

I would use a firewall that includes web content filtering with URL/domain matching. I would configure it so that the poker PC can only surf to the online account sites, poker sites and update sites for things like AV and OS updates. On the LAN side I configure the content filtering so that they can go anywhere except the online account sites, a guy can not live without a little fun on the Internet. [img]/images/graemlins/wink.gif[/img]

I would use a firewall with strong IPS and crank it up big time. I wont to protect the poker PC and the other PCs in the site.

If VPN was a part of the deployment, nothing really changes except that the poker PC, must send all traffic thru the VPN tunnel, which would be configured via the VPN configuration and firewall rules.

Why... We want to protect the poker PC at all costs. We prevent indirect attacks by only allowing the PC to access "approved" web sites, and prevent it from communicating with anything but exactly what we want, e.g. poker site. We also need more functional PC's available, but they too need protect. We also need to protect the user from them self by limiting access to high value information only from the poker PC. There are a lot of little details I have left out because, well, this is long enough as it is and frankly it would be over 95% of the readers of 2+2.

Well thats about it. I am sure there is something I have forget, but enough, this is too long as it is...

[BiPolar_Nut]

3 cheers, Perc [img]/images/graemlins/smile.gif[/img]