> Does anybody know of an actual incident where this attack was used, > successfully or not? Yes. It's certainly been done as a proof-of-concept, and I can think of an incident involving remote employees and SSH tunnels, (although I don't think it was ever made public). The remote user is one of the easiest entries into a corporate network. Stolen laptops; this type of VPN compromise; stolen securid (or equivalent) tokens; WiFi at home; the list goes on and on. On the other hand, these are not script-kiddie attacks; there are many different VPN clients out there, *and* you have to know something about the network you're trying to penetrate. Still, it's probably easier (and more covert) than attacking a corporate firewall directly. So-called "compulsory VPNs" or "split-tunnels" are not a defense against a determined attacker. Robotic attack software is pretty sophisticated these days. Once installed, a trojan using technology like IP-over-HTTP tunnels can get back *out* of a corporate network fairly easily. Anyway, I can remember discussing the problem with co-workers in my early days at Borderware, about six years ago; it's not exactly a new idea. Frankly, I'd be surprised if it *hadn't* been used by now. I suspect, as with most security incidents, we'll probably never hear about it. -- Harald Koch <chkat_private> ex-firewall developer :-) _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 06:14:45 PDT