Re: SSL vs IPSec VPNs

["Baggett, Mark" <mark.baggett () morris com>]

Another nice thing about most SSL concentrators is your "client remediation" and/or "login scripts" can turn on tcp 
packet forwarding, disable antivirus, add registry keys, etc.   (With appropriate permission of course)

Credit or blame?   :)   Make checks payable to HFC.

Mark


-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Michael 
Douglas
Sent: Thursday, October 21, 2010 11:31 PM
To: PaulDotCom Security Weekly Mailing List
Cc: pauldotcom () pdc-mail pauldotcom com
Subject: Re: [Pauldotcom] SSL vs IPSec VPNs

Mark, that's straight up evil... I love it.  Just let me know what sorts of credit you want for that little trick.

It's every bit as good as me sending them status reports with a few extra payloads attached.

Customer: this file's encrypted
Me: Of course, you don't want a mail admin to be able to see this kind of sensitive data... here's how you open the file
Customer: Oh you need macros?  Why?
Me: Formatting.  And if you see any popups just click yes.


Sad thing is it *works*...


I *love* what I do for a living!  What a fun and amazing field.
- Mick

On Wed, Oct 20, 2010 at 9:58 AM, Baggett, Mark <mark.baggett () morris com> wrote:
> This probably wont affect your purchasing decision, but I think it is 
> interesting that most network admins don't really think twice about 
> allowing their employees to use SSL VPN to connect to a third party 
> network.   They don't think about the fact that some other admin (the 
> one who owns the SSL VPN Concentrator) controls the split tunneling 
> policy on the clients and decides whether or not your internal 
> workstations can be used to pivot mercilessly through your environment.
>
>
> Dear Pen test customer,
> In order to provide you with instant, up to date access to the results 
> of our ongoing penetration we have established a project status portal.
> Obviously this data is sensitive and most be protected.  Please use 
> the following username and password to login to our SSL VPN to access 
> the status page.
>
> Moooohahhahaa
>
>
>
> -----Original Message-----
> From: pauldotcom-bounces () mail pauldotcom com
> [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Michael 
> Douglas
> Sent: Tuesday, October 19, 2010 9:41 AM
> To: pauldotcom () pdc-mail pauldotcom com
> Subject: [Pauldotcom] SSL vs IPSec VPNs
>
> Hey all,
>
> I'm trying to determine what protocols should be permitted on a new 
> VPN concentrator.
>
> I'd like to stick with IPSec, it's tried and true, and to quote Garth:
> "We fear change".  However, it seems that all the vendors are going 
> down the SSL route.  Now I know SSL is 'safe', but it seems like it's 
> more open to attacks like SSLStrip (thanks again Moxie for making us 
> aware of the problems!)  I get that SSL is easier for administrators 
> and end users alike, but is that convenience at too high a cost?
>
> So what are your thoughts?  Am I being too paranoid?  If there are 
> articles or places where I should RTFM, that's cool... I just need to 
> know what FM to read!!  Please send the links/info  ;-)
>
>
> Thanks for your input, and have a nice day!
> - Mick
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com