Forgot your password?
typodupeerror
Security Network The Military United States IT

Ask Slashdot: VPN Service For a Deployed US Navy Ship? 349

Posted by Soulskill
from the helps-with-those-call-of-duty-tournaments dept.
shinjikun34 writes "I am currently stationed on a U.S. Navy ship deployed in a country with restrictive internet policies. We are currently in the process of setting up an entertainment internet connection for the crew to use in their downtime. I suggested (and was thereby tasked with finding) a VPN service that would support 100 to 500 devices, have an end point inside the continental United States, be reasonably priced, and secure/trustworthy. Something that is safe to use for banking and other financial affairs. Ideally, it would be fast enough to support several VoIP calls (Skype, Google Voice, etc) along side online gaming, with possible movie/music streaming. It will need an end point in the U.S. to allow for use of Google Books, Netflix, Hulu, and other services that restrict access based on region. I, in all honesty, have no idea where to begin searching, and I ask the good folks of Slashdot to aid me in my quest. One of the main requirements I was given is that the company has to be trustworthy. And it has to be a company — computer in someone's closet hosting a VPN isn't acceptable to the Navy. What services would Slashdot recommend? (I understand that our connection without a VN probably won't be able to handle the described load, but I would prefer a VN service that offers capacity above our need. That way when T/S'ing the connection, the VPN can be at least partially ruled out.)"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: VPN Service For a Deployed US Navy Ship?

Comments Filter:
  • Pair (Score:5, Informative)

    by Frightened_Turtle (592418) on Saturday June 30, 2012 @12:47PM (#40505389)

    Try Pair.com [pair.com] in Pittsburg, PA. I've been with them for over 16 years now and I've been very happy with their service and support.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      %s/Pittsburg/Pittsburgh/g

      • Re: (Score:2, Informative)

        by Anonymous Coward

        That'll change properly spelled instances to Pittsburghh. What you want is to add a word-terminator to the expression so it doesn't break the correctly spelled words. /nerding out

      • I stand Korrekted! Dern them pescy spel kurrekturs lett'n them thar mispelin's git thru! Serves me right for not double-checking before I sent that out!

        :-D

    • by Anonymous Coward

      I've also been a Pair customer for many years. Their support is absolutely fantastic. Unlike many large companies who don't bother to read your questions and just reply with boilerplate, Pair responds quickly and accurately, and follow-ups are quick and easy (email). Sometimes, they've proactively fixed accounts that were at risk due to a security flaw or upgrade.

  • Just create a VM on aws.amazon.com and configure it to your hearts content.
  • .mil? (Score:2, Interesting)

    by Anonymous Coward

    Doesn't the navy has its own Internet structure? Or may you not use that?

  • by mrmeval (662166) <<mrmeval> <at> <gmail.com>> on Saturday June 30, 2012 @12:47PM (#40505397) Journal

    The NSA is tasked with securing such communication and you should regardless of classification of data be using their equipment or at least an approved system. In that way you know that you at least are protected from your provider.

    Your users shouldn't even know you'd doing jack to their connection except to show as a US IP address. There should be no identifying information that points that IP to any military activity.

    • by jo_ham (604554)

      Honestly yes, I agree with the above poster.

      I'm amazed that the US Navy doesn't already run something like this themselves - they're the ones that know the communications capabilities and deployment of their ships better than anyone else. Surely given the number of ships and personnel outside the US at any one time it would be more effective to have an in-house team based in the US to handle this especially since many of the reasons listed are not exclusive problems of a "guest" country with an oppressive i

      • I'm sure the navy maintains communications for military matters, But things like online shows and gaming are probably recent enough that the navy hasn't felt the need to provide them to sailors as essential comforts
      • by truesaer (135079) on Saturday June 30, 2012 @01:06PM (#40505533) Homepage

        My guess is that the military DOES provide internet access. And it probably allows them to do basic web tasks, etc but does not allow streaming video, VOIP, etc. This is probably because they are on a limited satellite connection and have to guarantee performance for the actual military functions of the ship.

        They also probably have access to Armed Forces radio and television, DVD libraries, etc.

        • I suspect this is the case. A VPN isn't going to help matters here because the real problem isn't routing, it's bandwidth. I think the OP has his priorities in the wrong order.
          • Agreed. Now a shipwide LAN allowing everyone to share their media, that's a good idea. Set up a Diaspora instance or similar and you've got a shipwide social network too. Doing it without jacking into the existing CAT5 (presumably?) might be tricky, a series of repeating wireless routers throughout perhaps?
          • by whoever57 (658626) on Saturday June 30, 2012 @02:43PM (#40506245) Journal

            I suspect this is the case. A VPN isn't going to help matters here because the real problem isn't routing, it's bandwidth. I think the OP has his priorities in the wrong order.

            Either the submitter has no clue or you have wrongly guessed abut his situation. Consider the comment about being stationed on a ship that is deployed in a country with restrictive Internet policies. If the US Navy were providing the Internet connection that they hoped to used, why would the country's Internet policies be relevant to the question? I assume that there is an Internet connection being provided via a shore-based ISP and it is snooping and restrictions on the use of the shore-based ISP that they would like to bypass using a VPN.

      • by gtirloni (1531285)
        I'm amazed that people really trust the OP is in a US Navy ship.
        • by icebike (68054) * on Saturday June 30, 2012 @02:21PM (#40506053)

          I'm amazed that people really trust the OP is in a US Navy ship.

          He said he is using a local ISP for bandwidth. So clearly he is not talking about ON the ship while at sea.

          He is probably talking about dock side encrypted wifi (perhaps bridged to some place onboard).

          He's probably stationed on a tug or service boat, oilers, replenishment ships, repair ship, because it would be pointless to set up something like
          this on a war ship which doesn't spend all that much time in port.

          100 to 500 devices indicates (think cell phones and tablets and the occasional lap top) a crew of something much smaller than a Frigate.
          Even Coast Guard national security cutters tend to have a crew greater than 100.

          • The British navy has ships that aren't ships at all - they're actually buildings ashore. "Stone Frigates" is the jocular term.

    • by girlintraining (1395911) on Saturday June 30, 2012 @12:57PM (#40505467)

      The NSA is tasked with securing such communication and you should regardless of classification of data be using their equipment or at least an approved system. In that way you know that you at least are protected from your provider.Your users shouldn't even know you'd doing jack to their connection except to show as a US IP address. There should be no identifying information that points that IP to any military activity.

      If you read between the lines, the poster is saying that this is an entirely separate network where the crew can bring their personal (non work) systems, and it will have no access or visibility to any of the ships systems or network. As such, those requirements go away. The Navy of course wants a US-based company to approach so they can monitor use and make sure that if another Wikileaks happens, they are a phone call away from saying "It was this guy, at this time, on this terminal," and also because US-based company means US-based laws -- and it's harder for a foreign national to penetrate a domestic service than a foreign one, especially after it gets hardened, which falls under the purvue of the DHS, not the NSA, in this case -- since the company is private, not military. And it probably will have cameras in the rec area, as all meeting and confidential areas on the ship do. So let's just go ahead and assume that the security people have already reviewed this and have green-lit it with the appropriate restrictions. They are, afterall, highly trained professionals. -_-

      Remember that aircraft carriers have thousands of personnel, deployed for months at a time with no access to anything but the ship. Entertainment becomes incredibly important for crew morale, and the Navy recognizes the need to balance this; They want to give their crew access to everything you can do on the internet at home on their little slice of the United States afloat. And why shouldn't they?

      • Like many technology items, the Navy contracts them out. HP got a sweet no-bid contract extention (HP bought EDS which originally bid it). Since then they have been charging the tax payer over $2000 a year to provide network connectivity... for EACH WORKSTATION.

        http://www.wired.com/dangerroom/2010/08/hp-holds-navy-network-hostage/ [wired.com]
        http://www.wired.com/dangerroom/2012/02/navy-internet/ [wired.com]

        In theory the Navy is supposed to start rolling their own stuff, but my guess is since this is on slashdot HP is going to ma

      • by jittles (1613415) on Saturday June 30, 2012 @01:57PM (#40505869)

        If you read between the lines, the poster is saying that this is an entirely separate network where the crew can bring their personal (non work) systems, and it will have no access or visibility to any of the ships systems or network. As such, those requirements go away.

        I just escaped from the world of contracting for the DoD and I can tell you that there is no such network on any military facility. Trust me. No boat, no ship, not even a storage shed. How do I know? Because I used to work on training simulations, and we wanted to set up things like a private WiFI network, to allow instructors to monitor simulations from a tablet device. Could we do so? No. It's against DoD rules. You can set up a private network, but only if it is wired, and only if it does not go out onto the net. Further, any machine on that network must comply with DoD Information Assurance (IA) rules. Those rules don't let you have USB enabled, you can't even have a USB port accessible on the device, without special authorization and hardening of the OS to disable the port, but allow charging.

        The poster above is absolutely correct. You do not want to be caught setting up this kind of network. You will get in huge trouble if the DoD finds out. All internet access should be going from the ship, to their home port and onto the internet from there. If I were in charge of this boat, I would not do this without an order in writing authorizing me to do so because he's going to get burned if he goes thru with this.

        • what about USB keyboards / mouses? USB printers? as now days it's getting harder to find PS2 stuff.

          • by Grishnakh (216268)

            Since when did government requirements have anything to do with reality? They probably just keep using 12-year-old systems because of the requirements.

        • Re: (Score:3, Informative)

          by David-D2 (1371217)
          DoD policies on military quarters should apply to quarters on a Navy ship as well. I am not in COM or anything like that, but I live on an Air Force base and I know the DoD does allow private internet connections. The restrictions you are talking about only apply to DoD information systems. If you are creating a network independent of the installation's connectivity and use it for hosting any technical data or as a subsystem to supplement a DoD system, the rules you stated apply. If it is for personal reaso
      • by icebike (68054) *

        So let's just go ahead and assume that the security people have already reviewed this and have green-lit it with the appropriate restrictions. They are, afterall, highly trained professionals. -_-

        And yet they come here to slashdot to ask for advice?

        Come on.

    • by chill (34294)

      ...regardless of classification of data...

      Wow, that is so wrong. There is no need for a TIC so the swabbies can stream Netflix, play Warcraft and Skype home to the wife and kiddies.

      It looks like the local regime filters the Internet, so using local ISPs probably is straight out as too much shit gets blocked. All they're trying to do is bypass that.

    • The high number of "In the Navy" views on YouTube originating from the IP will give them away.

  • Sonic.net (Score:2, Informative)

    by Anonymous Coward

    I know Sonic.net offers their customers VPN service, and have a great track record and are a pleasure to work with. I'd call their business/enterprise department and see what kind of bandwidth they can give you in a VPN termination.

    However, I hope you're aware of the dangers of having multiple secure and insecure internets in close proximity...I sincerely hope one moron with a patch cable can't bridge the "entertainment" network to anywhere else...frankly I'm surprised this isn't handled by the USN core net

  • by djdanlib (732853) on Saturday June 30, 2012 @12:48PM (#40505407) Homepage

    You realize that some of the people reading Slashdot around the world are going to have a vested interest in getting a back door into your affairs, right?

    This would be an excellent trap to catch foreign agents.

    • by rasmusbr (2186518)

      The enemy has limited resources. What could the enemy possibly learn from spying on individual sailors' downtime habits that could possibly be valuable in combat?

      Sounds like you've been reading too many Tom Clancy novels.

  • I would be very wary of doing such things on a government connection. Your C/O better have written off on it officially.
    • by nurb432 (527695)

      Like that will stop you from going down when caught. Just means you will have company when you are court marshaled.

  • forget online gaming on a ship as the lag is killer and moving from area to area can lead to drop outs.

  • I'm surprised this is even an option, I recently worked at a remote US government facility and there were heavy filtering requirements in place. Do military regs really allow you to avoid their regular IT controls and policies this way?

    At any rate, my first question is are you talking about a physical internet connection while in port, or using a satellite at sea or what? You're talking about supporting an awful lot of users and data through the VPN, but can your basic connection support that?

  • by KingRobot (703860) on Saturday June 30, 2012 @01:04PM (#40505521) Homepage
    1) Lease a box at a site with reliable, low-cost bandwidth (Somewhere like PhoenixNAP, AtlantaNAP, Rackspace, etc.) - This should run you between $50 - $150/mo for a decent system with several terabytes/mo data transfer (More than enough for Hulu, Netflix, etc.). 2) Make some friends in the Navy IT dept. - Have them help you set up a hosted VPN service on the box in their off time. This will be the lowest cost, most secure, and most reliable service you can get.
    • on the ship, setup up a linux or bsd pc as the local vpn end point. Rent a VPS at any of hundreds of such providers in the US. for one household to do this, you can get a US server for 8$/month or less. You need to pay more for network capacity, but not a huge amount. You set up 1 and only 1 VPN connection... NAT through it. The people on the ship just set their default routes (you provide a DHCP service.) I would use a pair of Debians for this, but whatever works for you.
      • by Kalriath (849904)

        It's like none of you even read. It specifically says it must be a reputable company. Building their own is not an option.

        • The summary does not state building their own is not an option. It says that it can't be hosted out of somebody's closet (fair enough), that any service has to be provided by a reliable company. This leaves the possibility of rolling their own solution hosted by Amazon or whoever. If building their own is not an option under any circumstances, that needs to be made more clear by the submitter.
  • by Cthefuture (665326) on Saturday June 30, 2012 @01:07PM (#40505545)

    Almost all VPN services are fly-by-night ops. Just don't do it. Seriously, they come and go like the wind. I'm sure there are legit and have been around for a long time but it's nigh impossible to vet any of these companies.

    Instead find a good hosting providing and rent yourself a server with the amount of bandwidth you need and the location in the US you want (most providers have data centers in various places). For more security I would get a whole machine, not a VPS. Run OpenVPN or whatever on it and you're good to go. It wouldn't need much disk or RAM.

  • by jonsmirl (114798) on Saturday June 30, 2012 @01:09PM (#40505561) Homepage

    Not a VPN, but what about a IPv6 tunnel to Hurricane Electric? Much of what you are interested in is IPv6 accessible. And the HE tunnel is free.

    Might check and see where the IPv6 anycast address routes to from your location. Might be in a different country.

  • by longk (2637033)

    Anything other than a government controlled VPN would be a dumb move. One step back though, why do you need a VPN? I assume the Navy can get his hands on a decent US IP range and have it routed properly? Even with non-US IP's you can probably get access. Most entertainment companies have good relations with the military - they could provide access as a courtesy.

  • Create a VM endpoint in the US on something like Amazon Web Services. Fire up a tunnel (vtund over ssh? openvpn? whatever) from your ship's router to your endpoint, route traffic through it, make sure your local DNS resolves through the tunnel, and call it a day. This way you won't need to tell people to mess around with VPN clients. The fewer moving parts, the better.

    This is pretty simplistic though. You need to give us more details. How much bandwidth do you have to play with? What is the expected latenc

  • Is the OP saying that the Navy doesn't already run a VPN? WTF?

    • by nurb432 (527695)

      I suspect the story is either a total fabrication, or he's trying to get around some local restriction and not get caught.

      Either way, i'm suspicious.

  • How much salt water safe coax can they trail behind the ship? I mean, it can get pretty messy, especially if they go around an island or something. Really, shouldn't the poster have at least considered these basic issues?

    No wonder the navy budget is HUGE!!!

  • What the... (Score:5, Insightful)

    by Cimexus (1355033) on Saturday June 30, 2012 @01:16PM (#40505617)

    OK I'm not American (I'm Australian), but this whole post elicits a massive "WTF" from me.

    If this is a Navy ship, belonging to the world's most powerful military and run and administered by a branch of the US Government, then surely:

    a) if this kind of usage of the connection is permitted, the Navy (or other government entity) would have its own infrastructure you could use for this; or

    b) if not, there'd already be a clear policy that stated who your preferred providers of such a service would be (having been vetted and cleared for such use by the relevant IT people within the Navy)

    I mean, I can't imagine any government department, let alone the Navy, giving some random guy the task of finding and setting up a VPN via whatever means he happened to think was good.

    Also, um, doesn't the ship have its own internet connection? I'm surprised that the filtering practices of the country where you're based are affecting you ... surely you don't allow people on the ship to use random, untrusted connections provided by whatever place you happen to be in?

    Anyway, as I said, I'm not American and wouldn't have a clue how the US military operates. But I can tell you this kind of thing would never fly in a government department here.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      OK I'm not American (I'm Australian), but this whole post elicits a massive "WTF" from me.

      If this is a Navy ship, belonging to the world's most powerful military and run and administered by a branch of the US Government, then surely:

      a) if this kind of usage of the connection is permitted, the Navy (or other government entity) would have its own infrastructure you could use for this...

      Yes, they do have their own. It's called NIPRNET, which is pretty much exactly what the OP is requesting to have in the first place (trusted network and endpoints in the US, and a connection to the internet).

      The problem here is that they're on a ship, and likely not trusting in any other 3rd party network providers, are probably relying on satellite shots to connect to their networks, which puts a nice big fat 500ms delay in the path, which would choke streaming an animated gif to 500 users, let alone VoIP

  • a new startup! (as of today)
    And a dedicated room (very very small...) for the computer!
    use my company! You can trust me... er, my company.
  • I understand personal unsecured devices on the DoD network are forbidden, but it's also easy to see where you literally have a boatload full of people with ipads and personal laptops with webcams that want internet access and a connection to family at home.

    Creating a second, public-only network is the obvious solution. But given the recent wikileaks-ish concerns, I'm amazed that they are considering anyone else providing this service. It would seem that the logical thing for them to do now is to create a

    • by Grishnakh (216268)

      This really needs to be done internally, under the control of the military, not farmed out.

      One of the problems with the US military these days is that they farm out everything they can, usually to expensive no-bid contractors; they're even farming out security and combat work now to mercenaries. I'm really surprised they haven't gone ahead and farmed out even the postal service.

      The whole situation is looking a lot like the decline and fall of the Roman Empire, where the empire spent so much money on their

  • by BenJeremy (181303) on Saturday June 30, 2012 @01:22PM (#40505671)

    Maybe you should call your support desk or talk to your commanding officer?

    A LOT of money has been spent by the government to give you a secure environment, with thousands of pages of STIGs to comply with, encryption, and other safeguards.

    It sounds like you want to do an end-run around the regulations and security imposed on your shipboard environment. The policies in place have been shaped over the last two decades.

    Do you have the slightest idea of the issues involved? We got in trouble for pinging ONCE A REBOOT from PCs that were shipboard (to check to see if they had rejoined the land-side networks), as the Naval side saw it as an attack on their network. There are real bandwidth issues on board a ship, as well as a whole slew of security issues. Just tunneling through a VPN connection is not a solution at all.

  • by gavron (1300111) on Saturday June 30, 2012 @01:25PM (#40505689)

    We are happy to provide you free VPN termination for your needs. You're welcome to have us
    checked out. US owned, operated, our CEO is the son of a service person, and we support our
    armed forces. Contact sales@login.com and we'll set up whatever GRE/IPSEC/other VPN you
    want.

    Thank you for your service.

    Ehud Gavron
    Login, Inc.
    Tucson AZ US

    • by heypete (60671)

      Small world. I had no idea you were on slashdot -- we briefly met a few years back for a Thawte notarization.

      Anyway, good to know you guys are still around and doing stuff like this.

      • by gavron (1300111)

        Yes! Hi Pete! It sure is too bad Thawte's Trusted Third Party system was taken down
        by Verisign. I'm also unexcited that there are no email S/MIME signatures good for more
        than 365 days... it's a step backward.

        Ehud

  • by rogueippacket (1977626) on Saturday June 30, 2012 @01:36PM (#40505747)
    Nearly a hundred posts, and neither the submitter and only one responder have asked. The presence of the word "ship" leads me to believe we're talking about wireless, combined with "restrictive Internet policies" drives me to the conclusion that this is terrestrial wireless to a local ISP. Submitter should clarify this, because it will directly impact their requirements for latency and bandwidth long before a discussion around VPN providers should occur.
  • by gl4ss (559668) on Saturday June 30, 2012 @01:43PM (#40505791) Homepage Journal

    http://www.birdstep.com/english/secure-mobility/safemove-mobile-vpn.aspx [birdstep.com]

    dunno if it's expensive, it should provide a bridge though since that's what you need(apparently, so that your lan games don't route through to usa and back. where safemove is good is that you could install it on the machines and go to a cafe on shore and still be safe, with pretty much zero hassle).
    what you want is a service with which you can locate the endpoint in a datacenter you choose, the military probably has some.

    buying that endpoint service inside usa is probably going to be peanuts compared to buying the actual bandwidth for those 500-1000 users in some shithole country.

    (some people on the thread don't seem to understand that this is the _entertainment_ network with machines separated from the military side, it's pretty much standard practice in any competent military).

  • by utkonos (2104836) on Saturday June 30, 2012 @01:59PM (#40505885)
    This article has to be one of the best trolls to have even been done here on Slashdot. Not only did it get the editors to put it on the front page, but it also has most everyone actually taking it seriously.
  • Hmm... I think the issue is how to download porn. There's no reason they cannot, at sea, own an entire library of pirated movies on DVD or blueray, and all the games, so they don't need netflix. Satellite telephone should work in place of skype. But the anonymity of online porn is difficult to provide any other way. It seems like the US Navy should have been thinking of alternatives to "onshore leave" for decades, and after spending $20 billion per year on air conditioning, should have come up with the
  • by Antique Geekmeister (740220) on Saturday June 30, 2012 @02:30PM (#40506129)

    It's completely reasonable for you, with orders, to investigate. But if you pull this behind the back of the existing infrastructure maintainers, you could be in a a great deal of trouble for violating security policies that no one here is equipped to help you follow. Contact the IT personnel at your main base, and find out what they've already got in place, and what policies you need to work with.

    As a deployed ship, every communications should be encrypted: even casual email to your families about when you're coming back might be considered military intelligence, and I've seen commercial cases where personnel were not _allowed_ to pre-encrypt their communications before it hit the local proxies, precisely so it could be checked for confidential material. I've explained to clients and partners that this allows local monitoring to intercept the communications between their private machines and the proxy, and for anyone who cracks the proxy to read it all, and then they had to factor in _those_ issues.

    You're also going to face potential issues with people taking "unsecured" machines for any "social" network and cross-connecting them to secure communications. That's just what the IT personnel at your home base should be able to help you assess. Even if you wind up doing most of the work, keeping them informed will mean that the pitfalls or incompatible tools can be recorded for anyone else who needs to do this.

    Another group that might be able to help is the USO: They've been involved in helping communications for active military throughout their existence, and they might be aware of others who've faced just these questions and whom your normal chain of command might not be aware of.

  • Phish on! (Score:4, Interesting)

    by Anonymous Coward on Saturday June 30, 2012 @02:56PM (#40506317)

    This post is a fishing trip. The poster is trying to get responses from people in the military that have already done what he seeks, and once he knows what unauthorized networks are being used, he can then locate them and attack them.

    After numerous wikileaks excursions, there is no way the government is actually allowing this sort of network on-board ships. This might actually BE the government sniffing out potential leak sources. If any of you troops are considering answering this guy with factual information, think twice, then thrice.

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...