Firewall Wizards mailing list archives
Re: Tunnel intruder
From: John Adams <jna-dated-1034639771.19b374 () retina net>
Date: Wed, 9 Oct 2002 16:56:08 -0700 (PDT)
On Wed, 9 Oct 2002, Jim MacLeod wrote:
There's a lot of FUD being touted by firewall vendors about the possibility of a home computer being hacked, then the attacker using that computer's VPN connection to the office to break into the company network.
If you disable split-tunnelling, this isn't much of an issue. There's a far greater fear of the user picking up a virus on the public Internet and then connecting to your company through VPN. The virus could work it's way into your internal network causing all sorts of grief. Without a split-tunnel, though, you create a major issue for people using local printers (on their home networks) and in branch offices; suddently they can't access anything local and are forced to used enterprise-wide services. There's also the issue of lag -- if the VPN server is in LA, and your users are in Boston, but there's a network connection back to the local corporate network in Boston, users who use services from your Boston-Based hosts are quite lagged when they go home and VPN-in for the night. (Installing a server in Boston fixes this, though!) Some or all of these issues may cause things to fail in your environment.
I can see this as a possibility and realize that we could easily get into an extended discussion of the probability/impossibility/inevitability of it occurring. I personally want to avoid speculation. Does anybody know of an actual incident where this attack was used, successfully or not?
With split-tunneling turned on, though, it's possible for someone to attack the employee's machine and use that machine as a stepping stone to greater access. In the wild, I have seen probes come from people's home Linux machines (while using a split-tunneled Cisco VPN client) when their home machine has been penetrated and the user has left the machine logged in. This mode of attack can happen and (although rare) I do feel that it's no longer a speculative issue. Why take the chance? Don't enable split-tunneling. -john _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Tunnel intruder Jim MacLeod (Oct 09)
- Re: Tunnel intruder Josh Welch (Oct 09)
- Re: Tunnel intruder John Adams (Oct 09)
- Re: Tunnel intruder Frank Knobbe (Oct 10)
- Re: Tunnel intruder Harald Koch (Oct 10)
- Re: Tunnel intruder Dragos Ruiu (Oct 10)
- Re: Tunnel intruder David Kennedy CISSP (Oct 12)
- Re: Tunnel intruder Dave Piscitello (Oct 12)
- <Possible follow-ups>
- RE: Tunnel intruder Gibson, Brian (Oct 09)
- RE: Tunnel intruder R. DuFresne (Oct 09)
- RE: Tunnel intruder Irwin Lazar (Oct 09)
- RE: Tunnel intruder Desai, Ashish (Oct 10)