RE: CRIME Driveby DOS

From: Andrew Plato (aplato@private)
Date: Wed Oct 23 2002 - 12:20:23 PDT

  • Next message: Quinby, Kris (MED): "RE: CRIME Driveby DOS"

    
    >> Coupled with host IDS, firewalls, and a
    >> few other goodies, it's a pretty safe network now.
    
    >Just run the a VPN gateway behind the wireless segment.  Refuse anyone
    >to go past it without the client VPN, and you are done.  Run WEP and MAC
    >filters, if you can, just to keep the casual eavesdroppers off the net.
    
    >Therefore you have
    >        a) Strong Authentication of the users.
    >        b) Strong Encryption of the data.
    
    >You are now *better* than the wired segments.
    
     
    That's a peachy solution...unless the end node gets hacked and the hacker uses the VPN tunnel to come into the network. This is how Microsoft was hacked about a a year ago. A hacker took over some developer's home PC, grabbed his VPN credentials and agent configuration, and then used the VPN tunnel to access the network and steal stuff. The intruder essentially bypassed all the security by gaining control of the end-node in this case. In fact his intrusion enjoyed a level of security itself, since his attack was nicely encrypted inside the VPN tunnel. 
    
    So VPN and authentication alone will not solve the problem. You have to have some kind of strong, two-factor authentication on the end-node or somthing to help prevent the end-nodes from getting hacked in the first place. In this example, a simple reactive firewall or intrusion prevention system running on the host might have stopped the hacker from stealing the VPN credentials and agent software in the first place. 
     
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________
     
     
     
     
    



    This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 12:45:01 PDT