Re: How safe is a VPN connexion from within an internal network?

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

krymson () gmail com wrote:

> Before this turns into more of a flame, let me just say you both are
> correct.
>
> Yes, you cannot turn off the Internet connection, ala pulling out the
> physical network cable, and maintain your VPN connection.

It can't be "turned off" at all, in any way shape or form. What's being
missed here is some essential, simple facts about how virtual networks
exist and function. A VPN is only superficially a network of its own.
Interfaces at both ends have public IP addresses regardless of what
some driver or module presents to a piece of software. And the
operating system kernel still does all its networking at that level,
*not* at the "virtual network" layer. If you think about it for a
minute you'd realise it can't be any other way, and that anything able
to exert influence over the kernel or network layer can have its way
with any "virtual" connection. You'll also realize that any claim of
being able to positively eliminate extraneous connections is a
logically false one. Almost laughably so in light of the fact that the
very same sort of connection being "positively" eliminated, is the one
being used to tunnel the virtual network connection.

> But yes, there are ways to fiddle with Windows routing so that once a
> piece of software (common with Cisco VPN) connects a PC to a remote
> network using a VPN, that client PC can no longer access its own

Once again, why waste time screwing around with more and more outside
influences and other machines when it's almost easier to simply end run
any virtual network?

> local resources or even an Internet connection via its own gateway,
> logically. Instead, it acts like it is on the remote network and goes
> out through its gateway for Internet access.
>
> This is common with Cisco, and as such, Cisco won't play well with
> complex requirements or multiple VPN software being used at the same
> time. It effectively takes over what Windows can see on the network.

On the contrary, it takes over what Windows *users* see not what
Windows can see. Windows itself still "sees" a normal connection over a
public network, with encrypted data flowing across it.

> Jeffrey, I think you might be getting something else otherwise
> confused. It is quite a problem to have a VPN client that is already
> compromised to call back out to the Internet and possibly offer up a
> shell to the attacker. This connection, depending on the VPN
> software, will go out through the remote network gateway. To the
> attacker, it doesn't much matter where the client is located, or what
> network it appears to be coming from.

I'm not confusing anything, and I agree. One way to do it is not give a
hoot about what route a connection takes. But again this adds layers
and more points of detection or failure. My point is that some people
appear to be placing *way* too much faith in something that's
inherently flawed as a tool for fighting or controlling the particular
type of problem being discussed.

It's irrelevant to even discuss the topic outside the realm of a
compromised machine. Uncompromised machines don't try to make nefarious
connections to bot herders or such. The problem itself only exists in a
compromised environment. And if a machine is compromised and still on
the network, there's no VPN or other software in the world that can
lay claim to any sort of magic that makes it immune to that compromise.
Period.

-- 
Hand crafted on 28 November, 2006 at 01:04:02 EST using
only the finest domestic and imported ASCII.

"What is wanted is not the will to believe, but the will to
find out, which is the exact opposite."
                                        -- Bertrand Russell

Attachment: signature.asc
Description: