Firewall Wizards mailing list archives

Re: Tunnel intruder

From: John Adams <jna-dated-1034639771.19b374 () retina net>
Date: Wed, 9 Oct 2002 16:56:08 -0700 (PDT)

On Wed, 9 Oct 2002, Jim MacLeod wrote:

There's a lot of FUD being touted by firewall vendors about the possibility 
of a home computer being hacked, then the attacker using that computer's 
VPN connection to the office to break into the company network.


If you disable split-tunnelling, this isn't much of an issue. There's a 
far greater fear of the user picking up a virus on the public Internet and 
then connecting to your company through VPN. The virus could work it's way 
into your internal network causing all sorts of grief.

Without a split-tunnel, though, you create a major issue for people using
local printers (on their home networks) and in branch offices; suddently
they can't access anything local and are forced to used enterprise-wide 
services. 

There's also the issue of lag -- if the VPN server is in LA, and your
users are in Boston, but there's a network connection back to the local
corporate network in Boston, users who use services from your Boston-Based
hosts are quite lagged when they go home and VPN-in for the night. 
(Installing a server in Boston fixes this, though!) 

Some or all of these issues may cause things to fail in your 
environment.

I can see this as a possibility and realize that we could easily get into 
an extended discussion of the probability/impossibility/inevitability of it 
occurring.  I personally want to avoid speculation.

Does anybody know of an actual incident where this attack was used, 
successfully or not?


With split-tunneling turned on, though, it's possible for someone to 
attack the employee's machine and use that machine as a stepping stone to 
greater access. 

In the wild, I have seen probes come from people's home Linux machines
(while using a split-tunneled Cisco VPN client) when their home machine
has been penetrated and the user has left the machine logged in. 

This mode of attack can happen and (although rare) I do feel that it's no
longer a speculative issue. 

Why take the chance? Don't enable split-tunneling.

-john

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Tunnel intruder Jim MacLeod (Oct 09)
- Re: Tunnel intruder Josh Welch (Oct 09)
- Re: Tunnel intruder John Adams (Oct 09)
  - Re: Tunnel intruder Frank Knobbe (Oct 10)
- Re: Tunnel intruder Harald Koch (Oct 10)
- Re: Tunnel intruder Dragos Ruiu (Oct 10)
- Re: Tunnel intruder David Kennedy CISSP (Oct 12)
- Re: Tunnel intruder Dave Piscitello (Oct 12)
- <Possible follow-ups>
- RE: Tunnel intruder Gibson, Brian (Oct 09)
  - RE: Tunnel intruder R. DuFresne (Oct 09)
- RE: Tunnel intruder Irwin Lazar (Oct 09)
- RE: Tunnel intruder Desai, Ashish (Oct 10)