EnglishFrenchGermanPolishSpanishTurkishRussianItalianDutchDutch

Exclusive Tunneling - protect against compromising your data on unstable connection

Exclusive Tunneling overview

Sometimes using a VPN in a standard way is not enough to protect your online activities.

There are situations when the data you are sending or receiving is very sensitive so that it is not acceptable to drop any packet unencrypted.

Normally it might happen if the secured tunnel is disconnected for any reason and although SecurityKISS Tunnel program informs about it in quite conspicuous way, it may be overlooked by user or the message may be suppressed by the operating system.

After the tunnel disconnects data is being sent using standard unencrypted and insecure connection.



Users may prevent sending or receiving data via unsecured connection even in such connection drop emergency situations. The technique is called Exclusive Tunneling and it boils down to deleting default route for the underlying non-tunneled connection.

Thanks to that no single packet can be sent outside of the tunnel.




Exclusive Tunneling in SecurityKISS

As all other features Exclusive Tunneling in SecurityKISS is very easy to use.

Exclusive Tunneling makes sense only once you get connected in the tunnel so when you are not connected and you select it from the Option menu...



...you should get appropriate message:


Exclusive Tunneling is quite 'dangerous' option in the sense that it blocks normal Internet connection what may be confusing for a user not familiar with the concept. That's why even when you get connected in the tunnel and select Exclusive Tunneling from the menu you should get the following warning:

So now you are in the Exclusive Tunneling mode. If your connection drops or the tunnel is disconnected for any reason you cannot send any data until you turn off Exclusive Tunneling in the Option menu.



Technical details

The procedure below describes technical details of deleting and restoring default route so it explains what happens behind the scenes and allows advanced users to automate it in the scripts.

1. Check internet connection details and network interface

Open windows command line console (menu Start -> Run, type cmd) and type:

ipconfig

You may get many interfaces but we need to find the one which is active with IP address and DNS servers assigned

Typical output may look like:

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix.... : zyxel.com
Description....................... : Realtek RTL8139/810x Family NIC
Physical Address.................. : 00-00-00-AB-CD-EF
Dhcp Enabled...................... : Yes
Autoconfiguration Enabled......... : Yes
IP Address........................ : 192.168.1.37
Subnet Mask....................... : 255.255.255.0
Default Gateway................... : 192.168.1.1
DHCP Server....................... : 192.168.1.1
DNS Servers....................... : 8.8.8.8
.................................. : 8.8.4.4
Primary WINS Server............... : 192.168.1.1
Lease Obtained.................... : 30 November 2010 19:28:13
Lease Expires..................... : 01 December 2010 03:28:13

We need to remember Connection Description which is in this case 'Realtek RTL8139/810x Family NIC'


2. Check default route

In the command line console type:

route print 0.0.0.0

Depending on the network interfaces present in your system you should get something like that:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x100005 ...00 00 00 AB CD EF ...... Realtek RTL8139/810x Family NIC
0x100007 ...00 ff 3a 3f cf 9b ...... TAP-Win32 Adapter V9
0x100008 ...00 00 00 FE DC BA ...... Wireless Network Adapter
===========================================================================
===========================================================================
Active Routes:
Network Dest      Netmask      Gateway          Interface        Metric
0.0.0.0           0.0.0.0      192.168.1.1      192.168.1.37     1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

From the listing we need to remember:


3. Create tunneled connection

Now you can start SecurityKISS Tunnel and connect to one of our servers.


Type again in the command line console:

route print 0.0.0.0

to check that SecurityKISS Tunnel created another default route for tunneled connection:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x100005 ...00 00 00 AB CD EF ...... Realtek RTL8139/810x Family NIC
0x100007 ...00 ff 3a 3f cf 9b ...... TAP-Win32 Adapter V9
0x100008 ...00 00 00 FE DC BA ...... Wireless Network Adapter
===========================================================================
===========================================================================
Active Routes:
Network Dest      Netmask      Gateway          Interface        Metric
0.0.0.0           128.0.0.0    10.11.6.45       10.11.6.46       1
0.0.0.0           0.0.0.0      192.168.1.1      192.168.1.37     1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

4. Delete default route

We need to delete default route for standard connection.

To do it we use information gathered in sections 1 and 2. The command will be in the format:

route delete [default_route] mask [netmask] [gateway_ip] IF [interface_id]

In this case the command is:

route delete 0.0.0.0 mask 0.0.0.0 192.168.1.1 IF 0x100005

There should be no output from the command if it has been executed successfully.

Now you are protected against sending sensitive data via unsecured channel.

At this stage all online traffic can be sent only via secured connection.

Even if the tunneled connection is disrupted you can't go back to normal insecure connection without manual modification of routing table.

While connected in the tunnel all online activities should work as usual. As a simple test you may use internet browser or type:

ping 8.8.8.8

which should produce:

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 8.8.8.8: bytes=32 time=63ms TTL=54
Reply from 8.8.8.8: bytes=32 time=32ms TTL=54
Reply from 8.8.8.8: bytes=32 time=36ms TTL=54
Reply from 8.8.8.8: bytes=32 time=36ms TTL=54

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Aipproximate round trip times in milli-seconds:
Minimum = 32ms, Maximum = 63ms, Average = 41ms

5. Simulate tunnel disconnect

In order to test effectiveness of Exclusive Tunneling we need to simulate network disruption by disconnecting from the tunnel in SecurityKISS program.

After clicking disconnect (and waiting a few seconds to let the network settings to go back to the stable state) the routing table should have no default route what prevents the system from sending unencrypted data.

It may be tested by using ping again:

ping 8.8.8.8

which this time should give no reply:

Pinging 8.8.8.8 with 32 bytes of data:

Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

6. Restore standard connection

In order to restore the standard non-tunneled connection we need to recreate the default route which was previously deleted:

route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 IF 0x100005

or renew all network adapters if you are using DHCP:

ipconfig /renew

The commands to delete and add routes may be saved in the script to make it easier and faster to switch between Exclusive Tunneling and standard modes.