Security Basics mailing list archives
Re: How safe is a VPN connexion from within an internal network?
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Tue, 28 Nov 2006 01:38:17 -0500
krymson () gmail com wrote:
Before this turns into more of a flame, let me just say you both are correct. Yes, you cannot turn off the Internet connection, ala pulling out the physical network cable, and maintain your VPN connection.
It can't be "turned off" at all, in any way shape or form. What's being missed here is some essential, simple facts about how virtual networks exist and function. A VPN is only superficially a network of its own. Interfaces at both ends have public IP addresses regardless of what some driver or module presents to a piece of software. And the operating system kernel still does all its networking at that level, *not* at the "virtual network" layer. If you think about it for a minute you'd realise it can't be any other way, and that anything able to exert influence over the kernel or network layer can have its way with any "virtual" connection. You'll also realize that any claim of being able to positively eliminate extraneous connections is a logically false one. Almost laughably so in light of the fact that the very same sort of connection being "positively" eliminated, is the one being used to tunnel the virtual network connection.
But yes, there are ways to fiddle with Windows routing so that once a piece of software (common with Cisco VPN) connects a PC to a remote network using a VPN, that client PC can no longer access its own
Once again, why waste time screwing around with more and more outside influences and other machines when it's almost easier to simply end run any virtual network?
local resources or even an Internet connection via its own gateway, logically. Instead, it acts like it is on the remote network and goes out through its gateway for Internet access. This is common with Cisco, and as such, Cisco won't play well with complex requirements or multiple VPN software being used at the same time. It effectively takes over what Windows can see on the network.
On the contrary, it takes over what Windows *users* see not what Windows can see. Windows itself still "sees" a normal connection over a public network, with encrypted data flowing across it.
Jeffrey, I think you might be getting something else otherwise confused. It is quite a problem to have a VPN client that is already compromised to call back out to the Internet and possibly offer up a shell to the attacker. This connection, depending on the VPN software, will go out through the remote network gateway. To the attacker, it doesn't much matter where the client is located, or what network it appears to be coming from.
I'm not confusing anything, and I agree. One way to do it is not give a hoot about what route a connection takes. But again this adds layers and more points of detection or failure. My point is that some people appear to be placing *way* too much faith in something that's inherently flawed as a tool for fighting or controlling the particular type of problem being discussed. It's irrelevant to even discuss the topic outside the realm of a compromised machine. Uncompromised machines don't try to make nefarious connections to bot herders or such. The problem itself only exists in a compromised environment. And if a machine is compromised and still on the network, there's no VPN or other software in the world that can lay claim to any sort of magic that makes it immune to that compromise. Period. -- Hand crafted on 28 November, 2006 at 01:04:02 EST using only the finest domestic and imported ASCII. "What is wanted is not the will to believe, but the will to find out, which is the exact opposite." -- Bertrand Russell
Attachment:
signature.asc
Description:
Current thread:
- Re: How safe is a VPN connexion from within an internal network?, (continued)
- Re: How safe is a VPN connexion from within an internal network? Joseph Jenkins (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? David Jacoby (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? Peter Fuggle (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Michal Merta (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? rvenne (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Quark IT - Hilton Travis (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Scott Ramsdell (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? krymson (Nov 21)
- Re: Re: How safe is a VPN connexion from within an internal network? krymson (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 28)