Firewall Wizards mailing list archives
RE: pcanywhere
From: FERNANDO_MONTENEGRO () HP-Brazil-om1 om hp com
Date: Wed, 20 Oct 1999 09:43:29 -0400
Hello! If memory serves me right, Raptor's VPN implementation allows for a 0.0.0.0/0 netmask on the tunnel specification (which is created by the administrator). This means that all IP traffic would be sent on the tunnel. Makes browsing the Internet from a dial-up at home no different than from the Corporate LAN (watch out for policy/privacy issues). This would reduce the vulnerability to this particular kind of attack you mentioned. In order for this attack to succeed, the attacker would need to do one of two things: - Subvert the user's PC configuration using a blind attack (similar to "echo + + > /.rhosts", but on Windows machines) - Create a covert channel back to user through the services that the firewall at the corporate site and attack from there. "Rwww shell" comes to mind. (Has anyone seen an implementation of that running off Windows?) The second kind of attack would succeed in a firewalled corporate environment even without any VPN users. Scary. Makes a huge case for proxy-based firewalling (as opposed to packet filtering) and clueful intrusion detection. So, it's possible to restrict IP traffic of a dial-up user using a VPN back to the corporate headquarters. Hope this helps. Cheers, Fernando -- Fernando da Silveira Montenegro Hewlett-Packard Brasil HP Consulting - Internet Security Al. Rio Negro, 750 - Alphaville mailto:fernando_montenegro () hp com Barueri, SP - Brazil 06454-000 voice: +55-11-7297-4351 #include <disclaimer.h> -----Original Message----- From: Kelvin.Garrahan () compaq com [mailto:Kelvin.Garrahan () compaq com] Sent: Terça-feira, 19 de Outubro de 1999 11:23 To: firewall-wizards () nfr net Cc: Kelvin.Garrahan () compaq com Subject: Re: pcanywhere Hi, Using PC anywhere is a risk, as is any other remote management software, what needs to be decide how much of a risk it is and how to minimise the threat. What is required is that you control the level of access, provide for strong authentication (OTP's or Certificates). If connecting across a public medium like the Internet use encryption to protect the traffic from being sniffed. One other thing that is mentioned is that the location from which a VPN is being initialised, must be secure. This means that not only does the PC (terminal) initialising the tunnel be subject to physical access security but also be protected from other unauthenticated users piggy backing traffic on the VPN. For example: A Remote manager is connected via an ISP to the Internet and establishes a VPN Tunnel to his Corporate network to remote manage Servers etc. A cracker is scanning the ISP randomly trying to connect to dialup clients, or has installed a sniffer upstream of the remote user. Either way the cracker becomes aware of a VPN tunnel emanating from a dialup client to the ISP. The cracker could then attack the Remote managers PC, enabling IP forwarding for instance, and route packets down the VPN tunnel to the Corporate network. This is similar to BO2K Trojan being leveraged to piggy back on the VPN. A solution to this problem is to have a Firewall protecting the Remote Client, as well as appropriate Virus software to detect the latest Trojans. Checkpoint are about to ship a personal Firewall which is designed with this weakness in mind, which would secure a remote user who periodically accesses directly to a public untrusted network. regards Kelvin. Kelvin Garrahan Security Consultant Compaq Professional Services
Current thread:
- pcanywhere Deepak Vaidya (Oct 12)
- Re: pcanywhere Jeff Sedayao (Oct 12)
- Re: pcanywhere Joseph S D Yao (Oct 13)
- Re: pcanywhere Joe Ippolito (Oct 16)
- Re: pcanywhere Andrzej Blaszczyk (Oct 13)
- Re: pcanywhere Ceirst N. Kaelton (Oct 16)
- <Possible follow-ups>
- RE: pcanywhere Desai, Ashish (Oct 13)
- RE: pcanywhere Henry Sieff (Oct 13)
- Re: pcanywhere Garrahan, Kelvin (Oct 19)
- RE: pcanywhere FERNANDO_MONTENEGRO (Oct 20)
- Re: pcanywhere dwelch (Oct 23)