RE: [fw-wiz] Tunnel intruder

• Previous message: John Adams: "Re: [fw-wiz] Tunnel intruder"
• In reply to: Gibson, Brian: "RE: [fw-wiz] Tunnel intruder"
• Next in thread: John Adams: "Re: [fw-wiz] Tunnel intruder"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I recently has the opportunity to discuss this issue with a folks at
LURHQ, a small sec company in SC.  They had mentioned virus infections and
worm intrusions being a mojor issue with VPN tunnels found in their
offerings <along the MSSP line>.  I've also talked to a number of other
folks about this very issue as pertains to virus intrusions and trojans,
as well some discussions about a hacked box being the backdoor into the
soft chewy center of the corp network.  And being that SANS just recently
made mention at least one of the new slapper worm variants was used as the
mechanism for a DDOS of a gov site, I can see this as a possible intrusion
vector into the corp network from a linux system.

Thus my quests in farily recent posts about VPN software and appliances
that actually push a corporate policy to the remote end innitiating an
internal connection.  One would hope the software/devices used would check
that anti-virus application was installed and running with current virus
signatures, that no foreign/remote web/ftp/p2p/IM software was active or
could be activated once the VPN was tunneled in, and that a personal
firewall system was in place to protect a system also connected to the
outside internet, or disabled that route while the tunnel was in session.
It's a fairly all order considering a number of OS's the VPN technology
needs to be current and upto date on, as well as the number of offerings
in the anti-virus and personal firewall areana.  Not to mention knowledge
of the various web/ftp/IRC/IM/etc hannels and internet connectivity
issues they would need to trace and track.

Thanks,

Ron DuFresne


On Wed, 9 Oct 2002, Gibson, Brian wrote:

> I can tell you of cases where users with tunnels to their office that were
> running Webservers back in the CodeRed days were wreaking HAVOC on their
> corporate networks.  My old company spent weeks trying to identify the
> source of the problem.  
> 
> It really is a pretty trivial avenue to exploit.  If you are Joe Social
> Engineer and you want to break into Widgets Inc.  that would probably be the
> first avenue of attack you would look to do.  
> 
> Virtually no logging of intrusions.  Oblivious user.  Often full reign of
> the corporate treasures.  In many corporate worlds VPN users are treated as
> fully trusted hosts.  You could go MONTHS without detection.
> 
> The question isn't whether a Joe Cracker has broken in this way. The
> question is why WOULDN'T they use this method? 
> 
> 
> -----Original Message-----
> From: Jim MacLeod [mailto:jmacleodat_private] 
> Sent: Wednesday, October 09, 2002 6:21 PM
> To: firewall-wizardsat_private
> Subject: [fw-wiz] Tunnel intruder
> 
> There's a lot of FUD being touted by firewall vendors about the possibility 
> of a home computer being hacked, then the attacker using that computer's 
> VPN connection to the office to break into the company network.
> 
> I can see this as a possibility and realize that we could easily get into 
> an extended discussion of the probability/impossibility/inevitability of it 
> occurring.  I personally want to avoid speculation.
> 
> Does anybody know of an actual incident where this attack was used, 
> successfully or not?
> 
> Thanks,
> -Jim
> 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizardsat_private
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> 
> 
> *****************************************************************
> Ryan Beck & Co.'s e-mail system is for business purposes only.
> Messages are not confidential. All e-mail may be reviewed by
> authorized supervisors, compliance or internal audit personnel.
> E-mail may be archived and produced to others.
> Ryan Beck will not accept trade order instructions via
> e-mail. Please telephone your Financial Consultant to place trade
> orders.
> 
> Ryan Beck & Co.
> *****************************************************************
> 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizardsat_private
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Irwin Lazar: "RE: [fw-wiz] Tunnel intruder"
• Previous message: John Adams: "Re: [fw-wiz] Tunnel intruder"
• In reply to: Gibson, Brian: "RE: [fw-wiz] Tunnel intruder"
• Next in thread: John Adams: "Re: [fw-wiz] Tunnel intruder"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 17:24:53 PDT