Security Basics mailing list archives
RE: IPsec VPN question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 4 Dec 2006 09:13:11 -0800
How the VPN connection terminates on the server-side end is up to the network admins. It's unfortunately *common* for this to have complete access to the network at that end, it's not *required* that it do so, and in fact I recommend that it shouldn't. (In simple cases, you may want the IPSEC side of the VPN server to be in a DMZ behind the firewall, and the un-tunnelled interface by which clients exit to be outside the firewall so that the actual client traffic gets filtered.) Most IPSEC VPN clients support disabling of "split tunnelling"; that is, when the client PC is connected to the VPN, *all* of the client's traffic goes through the tunnel. On the one hand, this requires some additional care on the setup if the admins want clients to have Internet access while connected. On the other hand, it makes the kind of exploitation by an attacker that you're concerned about significantly more difficult. [Generally, if there is an option to allow/deny split tunnelling, it's controlled at the VPN server end -- it's not something that individual clients can turn on and off.] David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of divinepresence () gmail com Sent: Wednesday, November 29, 2006 9:32 AM To: security-basics () securityfocus com Subject: IPsec VPN question Hi again, I was just reading up about an application which used an IPsec VPN connection, to connect to an application server. Now my question is that if an attacker gets access to the machine hosting the client application, can he intercept and/or modify packets at the network stack before it hits the IPsec ESP module (to view the communication mechanism between the client and the server)? Is it really an issue or my doubt is unfounded? Also what sort of attacks can then be carried out by that attacker using another tool since that VPN connection would give him access to the complete network at the app server's end? Thanks Ankur Jindal
Current thread:
- IPsec VPN question divinepresence (Dec 01)
- RE: IPsec VPN question David Gillett (Dec 04)
- RE: IPsec VPN question Lall, Navneet Singh (Dec 12)
- <Possible follow-ups>
- RE: IPsec VPN question Lall, Navneet Singh (Dec 15)