Security Basics mailing list archives
Re: How safe is a VPN connexion from within an internal network?
From: David Jacoby <dj () outpost24 com>
Date: Thu, 23 Nov 2006 08:49:53 +0100
Hi Jeffrey (and other readers) Thank you for your response, please see my comments below. Jeffrey F. Bloss wrote:
David Jacoby wrote:There are a few solutions for this, ive seen some VPN clients that disconnects the client machine from the Internet once the VPN connection is established, this will prevent the attacker to keep his connection because the client machine only allows connection to be sent to the remote network via the VPN client, no other connections are allowed.Just out of idle curiosity, how would one "disconnect the client from the Internet" when it's typically the Internet that's being used to establish the VPN tunnel? :)
Well, sorry if my English was not 100% clear to everyone, the "method" which is used to restrict access to Internet is that when the VPN connection is established you may only access the machines which are located withint the VPN.
I suppose a piece of software could go to great lengths trying to prevent any and all connections that weren't VPN, but this would be a daunting task even if we weren't adding to the mix a condition like being compromised. Even without that I just don't see this alleged disconnection as being all that comforting, and a cracker mucking around in your machine for a few minutes might turn it into one of those (false sense of) security nightmares.
Well i do understand what you are trying to say, but im not saying that its the ideal solution, Im trying to explain that it will be more difficult or attackers who are for example accessing the compromised machine via a backchannel, listening backdoor or something similar because when the VPN connection is established no other outbound connections (which is not used for keeping the VPN connection online) is allowed. By doing this you will also force the user to do what he is supposed to do over the VPN connection and then disconnect, my personal thought on VPN is that you should not have a idle VPN connection established, if the machine gets compromised i do not want other people to use my VPN session. It doesn't matter if i authenticate with my fingerprint or iris because when the connection is established anyone with access to my box can use my session. I hope that you understand what im trying to say, if you have any further questions do not hesitate to contact me again. Best regards, David Jacoby -- David Jacoby Vice President Customer Experience http://www.outpost24.com phone: +46-(0)455-612311 fax : +46-(0)455-13960 email: dj () outpost24 com
Current thread:
- How safe is a VPN connexion from within an internal network? PIERRE.DUFRESNE (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Patton Roub (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? David Jacoby (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 22)
- Re: How safe is a VPN connexion from within an internal network? Joseph Jenkins (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? David Jacoby (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? Peter Fuggle (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 22)
- Re: How safe is a VPN connexion from within an internal network? Michal Merta (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? rvenne (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Quark IT - Hilton Travis (Nov 21)
- <Possible follow-ups>
- RE: How safe is a VPN connexion from within an internal network? Scott Ramsdell (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? krymson (Nov 21)
- Re: Re: How safe is a VPN connexion from within an internal network? krymson (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 28)