Security Basics mailing list archives
RE: IPsec VPN question
From: "Lall, Navneet Singh" <nlall () ipolicynetworks com>
Date: Tue, 12 Dec 2006 12:15:35 +0530
Hi, It is possible (at least in theory) that an attacker can intercept the packets before they are encrypted at IP. All application just passes the data buffer to be transmitted on the network to OS kernel. A strategically placed root kit at tcp/ip stack can copy the buffer to some other location. Then it can send out both buffers; one through VPN as intended and other to attacker unencrypted. Root kits are increasing becoming popular and they are difficult to detect. Today almost no one scan for root kits on their machines. Trend is changing from User space exploitation Kernel space exploitation. Always remember after compromising a machine attacker can do any thing at his will. Navneet Singh -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of divinepresence () gmail com Sent: Wednesday, November 29, 2006 11:02 PM To: security-basics () securityfocus com Subject: IPsec VPN question Hi again, I was just reading up about an application which used an IPsec VPN connection, to connect to an application server. Now my question is that if an attacker gets access to the machine hosting the client application, can he intercept and/or modify packets at the network stack before it hits the IPsec ESP module (to view the communication mechanism between the client and the server)? Is it really an issue or my doubt is unfounded? Also what sort of attacks can then be carried out by that attacker using another tool since that VPN connection would give him access to the complete network at the app server's end? Thanks Ankur Jindal --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- IPsec VPN question divinepresence (Dec 01)
- RE: IPsec VPN question David Gillett (Dec 04)
- RE: IPsec VPN question Lall, Navneet Singh (Dec 12)
- <Possible follow-ups>
- RE: IPsec VPN question Lall, Navneet Singh (Dec 15)