Security Basics mailing list archives

RE: IPsec VPN question

From: "Lall, Navneet Singh" <nlall () ipolicynetworks com>
Date: Tue, 12 Dec 2006 12:15:35 +0530

Hi,

It is possible (at least in theory) that an attacker can intercept the
packets before they are encrypted at IP. All application just passes the
data buffer to be transmitted on the network to OS kernel. A
strategically placed root kit at tcp/ip stack can copy the buffer to
some other location. Then it can send out both buffers; one through VPN
as intended and other to attacker unencrypted. Root kits are increasing
becoming popular and they are difficult to detect. Today almost no one
scan for root kits on their machines.

Trend is changing from User space exploitation Kernel space
exploitation.

Always remember after compromising a machine attacker can do any thing
at his will.

Navneet Singh

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of divinepresence () gmail com
Sent: Wednesday, November 29, 2006 11:02 PM
To: security-basics () securityfocus com
Subject: IPsec VPN question

Hi again,
I was just reading up about an application which used an IPsec VPN
connection, to connect to an application server. Now my question is that
if an attacker gets access to the machine hosting the client
application, can he intercept and/or modify packets at the network stack
before it hits the IPsec ESP module (to view the communication mechanism
between the client and the server)? Is it really an issue or my doubt is
unfounded?

Also what sort of attacks can then be carried out by that attacker using
another tool since that VPN connection would give him access to the
complete network at the app server's end?

Thanks
Ankur Jindal 

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

IPsec VPN question divinepresence (Dec 01)
- RE: IPsec VPN question David Gillett (Dec 04)
- RE: IPsec VPN question Lall, Navneet Singh (Dec 12)
- <Possible follow-ups>
- RE: IPsec VPN question Lall, Navneet Singh (Dec 15)