Security Basics mailing list archives
Re: How safe is a VPN connexion from within an internal network?
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Mon, 27 Nov 2006 00:30:42 -0500
Peter Fuggle wrote:
You are right that "split tunneling" does not guarantee that the remote network offering the VPN connectivity is safe from a compromised client. Generally the client will be allocated an address on the remote LAN - that's usually the point of establishing the tunnel is it not? Now sure, the vpn client software can ensure that the client can only make connections through the tunnel and not to other devices on the local LAN or out to the internet. But depending
I disagree entirely with this assertion. It's not possible to guarantee that a piece of software even has the ability to prevent non-VPN connections even under perfect conditions. It is after all nothing but another piece of software. And remember that within context we're talking about a possibly compromised machine which could have a buggered up copy of VPN client software. Again, you absolutely ca not completely "shut off the Internet" because the Internet is your "carrier". That connection still exists, and no matter how adept a piece of software might be at filtering out extraneous noise it can never be perfect.
upon how controlled egress connections are on the remote LAN, the compromised client can still pose a risk. For example, the client has
At this point it becomes a moot argument because influence over the connection is out of the client's hands.
a shell bot installed that connects out to the attacker's machine and there is no control on outbound connections from the remote LAN...
If an attacker has compromised the machine to the point that it can make surreptitious connections at all, there's no VPN software on the planet that's going to save you.
Compromised client establishes tunnel, shellbot connects out to control machine _through tunnel_, attacker has full access to VPN client and LAN that the client is connected into. In a case like this, split tunneling gains nothing.
I'd say this is a waste of an attacker's time. ;) It's easier and far more reliable to make a direct connection, avoiding the additional problems and chances of being spotted that tunneling the unwanted connection through yet another network/server/etc brings to the table. -- Hand crafted on 27 November, 2006 at 00:19:53 EST using only the finest domestic and imported ASCII. I'd like to meet the guy who invented beer, and see what he's working on now.
Attachment:
signature.asc
Description:
Current thread:
- How safe is a VPN connexion from within an internal network? PIERRE.DUFRESNE (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Patton Roub (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? David Jacoby (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 22)
- Re: How safe is a VPN connexion from within an internal network? Joseph Jenkins (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? David Jacoby (Nov 23)
- Re: How safe is a VPN connexion from within an internal network? Peter Fuggle (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 22)
- Re: How safe is a VPN connexion from within an internal network? Michal Merta (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? rvenne (Nov 21)
- RE: How safe is a VPN connexion from within an internal network? Quark IT - Hilton Travis (Nov 21)
- <Possible follow-ups>
- RE: How safe is a VPN connexion from within an internal network? Scott Ramsdell (Nov 21)
- Re: How safe is a VPN connexion from within an internal network? krymson (Nov 21)
- Re: Re: How safe is a VPN connexion from within an internal network? krymson (Nov 27)
- Re: How safe is a VPN connexion from within an internal network? Jeffrey F. Bloss (Nov 28)