Re: How safe is a VPN connexion from within an internal network?

[David Jacoby <dj () outpost24 com>]

Hi Jeffrey (and other readers)

Thank you for your response, please see my comments below.


Jeffrey F. Bloss wrote:
> David Jacoby wrote:
>
> > There are a few solutions for this, ive seen some VPN clients that
> > disconnects the client machine from the Internet once the VPN
> > connection is established, this will prevent the attacker to keep his
> > connection because the client machine only allows connection to be
> > sent to the remote network via the VPN client, no other connections
> > are allowed.
>
> Just out of idle curiosity, how would one "disconnect the client from
> the Internet" when it's typically the Internet that's being used to
> establish the VPN tunnel? :)

Well, sorry if my English was not 100% clear to everyone, the "method"
which is used to restrict access to Internet is that when the VPN
connection is established you may only access the machines which are
located withint the VPN.

> I suppose a piece of software could go to great lengths trying to
> prevent any and all connections that weren't VPN, but this would be a
> daunting task even if we weren't adding to the mix a condition like
> being compromised. Even without that I just don't see this alleged
> disconnection as being all that comforting, and a cracker mucking
> around in your machine for a few minutes might turn it into one of
> those (false sense of) security nightmares. 

Well i do understand what you are trying to say, but im not saying
that its the ideal solution, Im trying to explain that it will be more
difficult or attackers who are for example accessing the compromised
machine via a backchannel, listening backdoor or something similar
because when the VPN connection is established no other outbound
connections (which is not used for keeping the VPN connection online)
is allowed.

By doing this you will also force the user to do what he is supposed
to do over the VPN connection and then disconnect, my personal thought
on VPN is that you should not have a idle VPN connection established,
if the machine gets compromised i do not want other people to use my
VPN session.

It doesn't matter if i authenticate with my fingerprint or iris
because when the connection is established anyone with access to my
box can use my session.


I hope that you understand what im trying to say, if you have any
further questions do not hesitate to contact me again.


Best regards,
David Jacoby







-- 

David Jacoby
Vice President Customer Experience
http://www.outpost24.com

phone: +46-(0)455-612311
fax  : +46-(0)455-13960
email: dj () outpost24 com