Security Basics mailing list archives

RE: IPsec VPN question

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 4 Dec 2006 09:13:11 -0800

  How the VPN connection terminates on the server-side end is
up to the network admins.  It's unfortunately *common* for this
to have complete access to the network at that end, it's not
*required* that it do so, and in fact I recommend that it shouldn't.
  (In simple cases, you may want the IPSEC side of the VPN server to be
in a DMZ behind the firewall, and the un-tunnelled interface by which 
clients exit to be outside the firewall so that the actual client
traffic gets filtered.)

  Most IPSEC VPN clients support disabling of "split tunnelling";
that is, when the client PC is connected to the VPN, *all* of the
client's traffic goes through the tunnel.  On the one hand, this
requires some additional care on the setup if the admins want clients
to have Internet access while connected.  On the other hand, it makes
the kind of exploitation by an attacker that you're concerned about 
significantly more difficult. 
  [Generally, if there is an option to allow/deny split tunnelling, 
it's controlled at the VPN server end -- it's not something that
individual clients can turn on and off.]

David Gillett

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of 
divinepresence () gmail com
Sent: Wednesday, November 29, 2006 9:32 AM
To: security-basics () securityfocus com
Subject: IPsec VPN question

Hi again,
I was just reading up about an application which used an 
IPsec VPN connection, to connect to an application server. 
Now my question is that if an attacker gets access to the 
machine hosting the client application, can he intercept 
and/or modify packets at the network stack before it hits the 
IPsec ESP module (to view the communication mechanism between 
the client and the server)? Is it really an issue or my doubt 
is unfounded?

Also what sort of attacks can then be carried out by that 
attacker using another tool since that VPN connection would 
give him access to the complete network at the app server's end?

Thanks
Ankur Jindal

Current thread:

IPsec VPN question divinepresence (Dec 01)
- RE: IPsec VPN question David Gillett (Dec 04)
- RE: IPsec VPN question Lall, Navneet Singh (Dec 12)
- <Possible follow-ups>
- RE: IPsec VPN question Lall, Navneet Singh (Dec 15)