RE: pcanywhere

[FERNANDO_MONTENEGRO () HP-Brazil-om1 om hp com]

Hello!

If memory serves me right, Raptor's VPN implementation allows for a 0.0.0.0/0  
netmask on the tunnel specification (which is created by the administrator).  
This means that all IP traffic would be sent on the tunnel. Makes browsing the  
Internet from a dial-up at home no different than from the Corporate LAN (watch  
out for policy/privacy issues).

This would reduce the vulnerability to this particular kind of attack you  
mentioned. In order for this attack to succeed, the attacker would need to do  
one of two things:
- Subvert the user's PC configuration using a blind attack (similar to "echo +  
+ > /.rhosts", but on Windows machines)
- Create a covert channel back to user through the services that the firewall  
at the corporate site and attack from there. "Rwww shell" comes to mind. (Has  
anyone seen an implementation of that running off Windows?)

The second kind of attack would succeed in a firewalled corporate environment  
even without any VPN users. Scary. Makes a huge case for proxy-based  
firewalling (as opposed to packet filtering) and clueful intrusion detection.

So, it's possible to restrict IP traffic of a dial-up user using a VPN back to  
the corporate headquarters.

Hope this helps.

Cheers,
Fernando

--
Fernando da Silveira Montenegro     Hewlett-Packard Brasil
HP Consulting - Internet Security   Al. Rio Negro, 750 - Alphaville
mailto:fernando_montenegro () hp com   Barueri, SP - Brazil 06454-000
voice: +55-11-7297-4351             #include <disclaimer.h>


-----Original Message-----
From: Kelvin.Garrahan () compaq com [mailto:Kelvin.Garrahan () compaq com]
Sent: Terça-feira, 19 de Outubro de 1999 11:23
To: firewall-wizards () nfr net
Cc: Kelvin.Garrahan () compaq com
Subject: Re: pcanywhere


Hi,

Using PC anywhere is a risk, as is any other remote management software,
what needs to be decide how much of a risk it is and how to minimise the
threat. What is required is that you control the level of access, provide
for strong authentication (OTP's or Certificates). If connecting across a
public medium like the Internet use encryption to protect the traffic from
being sniffed. One other thing that is mentioned is that the location from
which a VPN is being initialised, must be secure. This means that not only
does the PC (terminal) initialising the tunnel be subject to physical access
security but also be protected from other unauthenticated users piggy
backing  traffic on the VPN. For example:

A Remote manager is connected via an ISP to the Internet and establishes a
VPN Tunnel to his Corporate network to remote manage Servers etc. A cracker
is scanning the ISP randomly trying to connect to dialup clients, or has
installed a sniffer upstream of the remote user. Either way the cracker
becomes aware of a VPN tunnel emanating from a dialup client to the ISP. The
cracker could then attack the Remote managers PC, enabling IP forwarding for
instance, and route packets down the VPN tunnel to the Corporate network.
This is similar to BO2K Trojan being leveraged to piggy back on the VPN.

A solution to this problem is to have a Firewall protecting the Remote
Client, as well as appropriate Virus software to detect the latest Trojans.
Checkpoint are about to ship a personal Firewall which is designed with this
weakness in mind, which would secure a remote user who periodically accesses
directly to a public untrusted network.

regards

Kelvin.

Kelvin Garrahan
Security Consultant
Compaq Professional Services