Re: Tunnel intruder

[Harald Koch <chk () pobox com>]

> Does anybody know of an actual incident where this attack was used, 
> successfully or not?

Yes. It's certainly been done as a proof-of-concept, and I can think of
an incident involving remote employees and SSH tunnels, (although I
don't think it was ever made public).

The remote user is one of the easiest entries into a corporate network.
Stolen laptops; this type of VPN compromise; stolen securid (or
equivalent) tokens; WiFi at home; the list goes on and on.

On the other hand, these are not script-kiddie attacks; there are many
different VPN clients out there, *and* you have to know something about
the network you're trying to penetrate. Still, it's probably easier (and
more covert) than attacking a corporate firewall directly.

So-called "compulsory VPNs" or "split-tunnels" are not a defense against
a determined attacker. Robotic attack software is pretty sophisticated
these days.  Once installed, a trojan using technology like IP-over-HTTP
tunnels can get back *out* of a corporate network fairly easily.

Anyway, I can remember discussing the problem with co-workers in my
early days at Borderware, about six years ago; it's not exactly a new
idea.  Frankly, I'd be surprised if it *hadn't* been used by now.
I suspect, as with most security incidents, we'll probably never hear
about it.

-- 
Harald Koch     <chk () pobox com>
ex-firewall developer :-)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards