Firewall Wizards mailing list archives
Re: Tunnel intruder
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 09 Oct 2002 23:38:03 -0500
On Wed, 2002-10-09 at 18:56, John Adams wrote:
On Wed, 9 Oct 2002, Jim MacLeod wrote:There's a lot of FUD being touted by firewall vendors about the possibility of a home computer being hacked, then the attacker using that computer's VPN connection to the office to break into the company network.If you disable split-tunnelling, this isn't much of an issue. There's a far greater fear of the user picking up a virus on the public Internet and then connecting to your company through VPN. The virus could work it's way into your internal network causing all sorts of grief.
And as you see, that works with split-tunneling disabled, and I would consider viruses and worms still an issue. But, I'm not sure how much security a disabled split-tunnel config offers since it is basically a default gateway reconfig. It is theoretically possible (and I say it that way since I'm not aware of such a devil...yet) to write a trojan that will proxy packets from the Internet through the box into the tunnel, and proxy responses back to the Internet. The tunnel side is handled through the systems IP stack, but the Internet side is handled with pcap/libnet. Not using the stack bypasses any routing restrictions, heck even host-based firewall ACLs, which means even though your split-tunnel is disabled, the box still sends packets between the Internet and the VPN as long as the VPN is established. The pcap/libnet-proxy-devil would have to know what the default gateway on the Internet is. Since it is assembling packets itself, it doesn't really need to know the IP address, but (in case of a cable modem) the MAC address of the router (and in case of a dial-up session, the PPP endpoint id). The MAC address should still be in the arp cache. And since the sucker is proxying, you don't have much ability to restrict such traffic on the peer side of the VPN (usually a firewall on 'the other side'). I'm not sure how to fully secure this. One thought that crossed my mind was disconnecting from the Internet....uhm... which will tear down the VPN, darnit. So, for really sensitive data, or very paranoid people, maybe a good RAS dial-in might be a better fit... Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Tunnel intruder Jim MacLeod (Oct 09)
- Re: Tunnel intruder Josh Welch (Oct 09)
- Re: Tunnel intruder John Adams (Oct 09)
- Re: Tunnel intruder Frank Knobbe (Oct 10)
- Re: Tunnel intruder Harald Koch (Oct 10)
- Re: Tunnel intruder Dragos Ruiu (Oct 10)
- Re: Tunnel intruder David Kennedy CISSP (Oct 12)
- Re: Tunnel intruder Dave Piscitello (Oct 12)
- <Possible follow-ups>
- RE: Tunnel intruder Gibson, Brian (Oct 09)
- RE: Tunnel intruder R. DuFresne (Oct 09)
- RE: Tunnel intruder Irwin Lazar (Oct 09)
- RE: Tunnel intruder Desai, Ashish (Oct 10)