Connecting via another company's VPN

[Hokiefyd]

I work at home for Company H, and we are partnered with Company P on a particular contract. I use Outlook for email connected to my company's servers that face the public internet. I don't have to be logged in to my company's VPN in order to use my email (though I can be). Company P performs the systems side of our contract, and they host the Oracle development environment on their system. I log in through their VPN to use Oracle SQL Developer to do light data mining.

If Outlook is open when I connect to their VPN, I will usually receive a dialog box prompting me to close Outlook and re-open it, because it's lost connection to my company's server. Once I'm logged in to Company P's VPN, I can re-open Outlook, and it re-establishes connection with Company H's Exchange server.

My question is regarding data privacy. Are my emails sent when I'm accessing my email through Company P's VPN theoretically readable by Company P? I'm not sure if Outlook somehow encrypts email between the client and the Exchange server or if there are any other safeguards in place. Should I assume that Company P could (at least in theory) monitor email traffic sent while connected to their VPN, or is this not really possible?

Thanks in advance.

 

[cpayne5]

Can you look at the connection configuration for the account in Outlook? If the connection uses TLS/SSL, then company P cannot peek into the payload (unless they have a key). If no TLS/SSL, then they certainly can see what you're sending/receiving, if they wanted to.

How sneaky is company P?

 

[Hokiefyd]

Originally Posted By: cpayne5
Can you look at the connection configuration for the account in Outlook? If the connection uses TLS/SSL, then company P cannot peek into the payload (unless they have a key). If no TLS/SSL, then they certainly can see what you're sending/receiving, if they wanted to.


Thanks for your reply...on the "Security" tab of the "Microsoft Exchange" settings window, the "Encrypt data between Microsoft Outlook and Microsoft Exchange" check box is checked. Further, the "Connect using SSL only" box is checked on the "Exchange Proxy Settings" window, and the sub-box under THAT is checked that says "Only connect to proxy servers that have this principal name in their certificate" (and then it lists my company's exchange server name).

Based on your guidance on what to check, and my settings, it appears that Company P could not read emails being sent and received across their VPN connection...do you agree?

 

[cpayne5]

Originally Posted By: Hokiefyd

Based on your guidance on what to check, and my settings, it appears that Company P could not read emails being sent and received across their VPN connection...do you agree?


Yes, sounds like you're good.

 

[cpayne5]

.

 

[SZR48207]

I used to do similar work at a past job. I would use a client's VPN to log onto their Network to do work, but I wanted to isolate the connections from each other.

So I got XP Mode from Microsoft and installed that on my machine. Then, all of my client VPN connections ran inside XP Mode which allowed my own email and work to remain on the laptop while any client work was isolated in its own environment.

This may not work if the client VPN enforces certain security requirements since winxp is so old at this point. I can confirm that Cisco VPN has worked well.

 

[OVERKILL]

You are fine. It would be an encrypted connected as noted.

 

[simple_gifts]

Just a note as a learning moment for others; an encrypted connection off a site does not guarantee the company cannot see the data (in this case is does as cpayne5 points out)

Some companies proxy web connections and the client machines have certificates trusts to allow this; The connection is from a PC to the proxy encrypted, decrypted at the proxy, inspected, logged, and then reencrypted from the proxy to the server on the internet. This is an accepted security practice to inspect data being sent off the site for viruses, data loss etc.

It is functionally an authorized and implemented 'man in the middle'

The OP is not impacted by this since the OP is using his company's PC and not one supplied by his customer with would be configured to allow this