On Wed, 2002-10-09 at 18:56, John Adams wrote: > On Wed, 9 Oct 2002, Jim MacLeod wrote: > > > There's a lot of FUD being touted by firewall vendors about the possibility > > of a home computer being hacked, then the attacker using that computer's > > VPN connection to the office to break into the company network. > > If you disable split-tunnelling, this isn't much of an issue. There's a > far greater fear of the user picking up a virus on the public Internet and > then connecting to your company through VPN. The virus could work it's way > into your internal network causing all sorts of grief. And as you see, that works with split-tunneling disabled, and I would consider viruses and worms still an issue. But, I'm not sure how much security a disabled split-tunnel config offers since it is basically a default gateway reconfig. It is theoretically possible (and I say it that way since I'm not aware of such a devil...yet) to write a trojan that will proxy packets from the Internet through the box into the tunnel, and proxy responses back to the Internet. The tunnel side is handled through the systems IP stack, but the Internet side is handled with pcap/libnet. Not using the stack bypasses any routing restrictions, heck even host-based firewall ACLs, which means even though your split-tunnel is disabled, the box still sends packets between the Internet and the VPN as long as the VPN is established. The pcap/libnet-proxy-devil would have to know what the default gateway on the Internet is. Since it is assembling packets itself, it doesn't really need to know the IP address, but (in case of a cable modem) the MAC address of the router (and in case of a dial-up session, the PPP endpoint id). The MAC address should still be in the arp cache. And since the sucker is proxying, you don't have much ability to restrict such traffic on the peer side of the VPN (usually a firewall on 'the other side'). I'm not sure how to fully secure this. One thought that crossed my mind was disconnecting from the Internet....uhm... which will tear down the VPN, darnit. So, for really sensitive data, or very paranoid people, maybe a good RAS dial-in might be a better fit... Regards, Frank
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 06:20:13 PDT