Re: [fw-wiz] Tunnel intruder

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 10/10/02


From: Frank Knobbe <fknobbe@knobbeits.com>
To: John Adams <jna-dated-1034639771.19b374@retina.net>
Date: Thu Oct 10 08:59:20 2002


On Wed, 2002-10-09 at 18:56, John Adams wrote:
> On Wed, 9 Oct 2002, Jim MacLeod wrote:
>
> > There's a lot of FUD being touted by firewall vendors about the possibility
> > of a home computer being hacked, then the attacker using that computer's
> > VPN connection to the office to break into the company network.
>
> If you disable split-tunnelling, this isn't much of an issue. There's a
> far greater fear of the user picking up a virus on the public Internet and
> then connecting to your company through VPN. The virus could work it's way
> into your internal network causing all sorts of grief.

And as you see, that works with split-tunneling disabled, and I would
consider viruses and worms still an issue.

But, I'm not sure how much security a disabled split-tunnel config
offers since it is basically a default gateway reconfig. It is
theoretically possible (and I say it that way since I'm not aware of
such a devil...yet) to write a trojan that will proxy packets from the
Internet through the box into the tunnel, and proxy responses back to
the Internet. The tunnel side is handled through the systems IP stack,
but the Internet side is handled with pcap/libnet. Not using the stack
bypasses any routing restrictions, heck even host-based firewall ACLs,
which means even though your split-tunnel is disabled, the box still
sends packets between the Internet and the VPN as long as the VPN is
established.

The pcap/libnet-proxy-devil would have to know what the default gateway
on the Internet is. Since it is assembling packets itself, it doesn't
really need to know the IP address, but (in case of a cable modem) the
MAC address of the router (and in case of a dial-up session, the PPP
endpoint id). The MAC address should still be in the arp cache.

And since the sucker is proxying, you don't have much ability to
restrict such traffic on the peer side of the VPN (usually a firewall on
'the other side'). I'm not sure how to fully secure this. One thought
that crossed my mind was disconnecting from the Internet....uhm... which
will tear down the VPN, darnit.

So, for really sensitive data, or very paranoid people, maybe a good RAS
dial-in might be a better fit...

Regards,
Frank






Relevant Pages

  • Re: Linux als Router
    ... # Enter all trusted network interfaces here. ... # which should be available to the internet and set FW_ROUTE to yes. ... space separated list of ports, ... # Packets to silently reject without log message. ...
    (de.comp.os.unix.linux.misc)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Re: Ethernet issue: works one way but not another
    ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ...
    (freebsd-questions)
  • RE: Missing web services configuration pane
    ... Please contact the ISP to confirm what the exact connection type is. ... If it's a VPN type, you should have the VPN server side address. ... 825763 How to configure Internet access in Windows Small Business Server ... 241252 VPN Tunnels - PPTP Protocol Packet Description and Use ...
    (microsoft.public.windows.server.sbs)