Re: [fw-wiz] Tunnel intruder

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 10/10/02


From: Frank Knobbe <fknobbe@knobbeits.com>
To: John Adams <jna-dated-1034639771.19b374@retina.net>
Date: Thu Oct 10 08:59:20 2002


On Wed, 2002-10-09 at 18:56, John Adams wrote:
> On Wed, 9 Oct 2002, Jim MacLeod wrote:
>
> > There's a lot of FUD being touted by firewall vendors about the possibility
> > of a home computer being hacked, then the attacker using that computer's
> > VPN connection to the office to break into the company network.
>
> If you disable split-tunnelling, this isn't much of an issue. There's a
> far greater fear of the user picking up a virus on the public Internet and
> then connecting to your company through VPN. The virus could work it's way
> into your internal network causing all sorts of grief.

And as you see, that works with split-tunneling disabled, and I would
consider viruses and worms still an issue.

But, I'm not sure how much security a disabled split-tunnel config
offers since it is basically a default gateway reconfig. It is
theoretically possible (and I say it that way since I'm not aware of
such a devil...yet) to write a trojan that will proxy packets from the
Internet through the box into the tunnel, and proxy responses back to
the Internet. The tunnel side is handled through the systems IP stack,
but the Internet side is handled with pcap/libnet. Not using the stack
bypasses any routing restrictions, heck even host-based firewall ACLs,
which means even though your split-tunnel is disabled, the box still
sends packets between the Internet and the VPN as long as the VPN is
established.

The pcap/libnet-proxy-devil would have to know what the default gateway
on the Internet is. Since it is assembling packets itself, it doesn't
really need to know the IP address, but (in case of a cable modem) the
MAC address of the router (and in case of a dial-up session, the PPP
endpoint id). The MAC address should still be in the arp cache.

And since the sucker is proxying, you don't have much ability to
restrict such traffic on the peer side of the VPN (usually a firewall on
'the other side'). I'm not sure how to fully secure this. One thought
that crossed my mind was disconnecting from the Internet....uhm... which
will tear down the VPN, darnit.

So, for really sensitive data, or very paranoid people, maybe a good RAS
dial-in might be a better fit...

Regards,
Frank