Security Basics mailing list archives
Re: How safe is a VPN connexion from within an internal network?
From: Peter Fuggle <peterf () securepay com au>
Date: Mon, 27 Nov 2006 11:40:03 +1100
You are right that "split tunneling" does not guarantee that the remote network offering the VPN connectivity is safe from a compromised client. Generally the client will be allocated an address on the remote LAN - that's usually the point of establishing the tunnel is it not? Now sure, the vpn client software can ensure that the client can only make connections through the tunnel and not to other devices on the local LAN or out to the internet. But depending upon how controlled egress connections are on the remote LAN, the compromised client can still pose a risk. For example, the client has a shell bot installed that connects out to the attacker's machine and there is no control on outbound connections from the remote LAN... Compromised client establishes tunnel, shellbot connects out to control machine _through tunnel_, attacker has full access to VPN client and LAN that the client is connected into. In a case like this, split tunneling gains nothing.
Pete Jeffrey F. Bloss wrote:
David Jacoby wrote:There are a few solutions for this, ive seen some VPN clients that disconnects the client machine from the Internet once the VPN connection is established, this will prevent the attacker to keep his connection because the client machine only allows connection to be sent to the remote network via the VPN client, no other connections are allowed.Just out of idle curiosity, how would one "disconnect the client from the Internet" when it's typically the Internet that's being used to establish the VPN tunnel? :) I suppose a piece of software could go to great lengths trying to prevent any and all connections that weren't VPN, but this would be a daunting task even if we weren't adding to the mix a condition like being compromised. Even without that I just don't see this alleged disconnection as being all that comforting, and a cracker mucking around in your machine for a few minutes might turn it into one ofthose (false sense of) security nightmares.
Current thread:
- How safe is a VPN connexion from within an internal network? PIERRE.DUFRESNE (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Patton Roub (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? David Jacoby (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 22)
- Re: How safe is a VPN connexion from within an internal network? Joseph Jenkins (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? David Jacoby (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? Peter Fuggle (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 22)
- Re: How safe is a VPN connexion from within an internal network? Michal Merta (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? rvenne (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Quark IT - Hilton Travis (Nov 21)
- <Possible follow-ups>
- RE: How safe is a VPN connexion from within an internal network? Scott Ramsdell (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? krymson (Nov 21)
- Re: Re: How safe is a VPN connexion from within an internal network? krymson (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 28)