Another nice thing about most SSL concentrators is your "client remediation" and/or "login scripts" can turn on tcp packet forwarding, disable antivirus, add registry keys, etc. (With appropriate permission of course)
Credit or blame? :) Make checks payable to HFC. Mark -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Douglas Sent: Thursday, October 21, 2010 11:31 PM To: PaulDotCom Security Weekly Mailing List Cc: [email protected] Subject: Re: [Pauldotcom] SSL vs IPSec VPNs Mark, that's straight up evil... I love it. Just let me know what sorts of credit you want for that little trick. It's every bit as good as me sending them status reports with a few extra payloads attached. Customer: this file's encrypted Me: Of course, you don't want a mail admin to be able to see this kind of sensitive data... here's how you open the file Customer: Oh you need macros? Why? Me: Formatting. And if you see any popups just click yes. Sad thing is it *works*... I *love* what I do for a living! What a fun and amazing field. - Mick On Wed, Oct 20, 2010 at 9:58 AM, Baggett, Mark <[email protected]> wrote: > This probably wont affect your purchasing decision, but I think it is > interesting that most network admins don't really think twice about > allowing their employees to use SSL VPN to connect to a third party > network. They don't think about the fact that some other admin (the > one who owns the SSL VPN Concentrator) controls the split tunneling > policy on the clients and decides whether or not your internal > workstations can be used to pivot mercilessly through your environment. > > > Dear Pen test customer, > In order to provide you with instant, up to date access to the results > of our ongoing penetration we have established a project status portal. > Obviously this data is sensitive and most be protected. Please use > the following username and password to login to our SSL VPN to access > the status page. > > Moooohahhahaa > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Michael > Douglas > Sent: Tuesday, October 19, 2010 9:41 AM > To: [email protected] > Subject: [Pauldotcom] SSL vs IPSec VPNs > > Hey all, > > I'm trying to determine what protocols should be permitted on a new > VPN concentrator. > > I'd like to stick with IPSec, it's tried and true, and to quote Garth: > "We fear change". However, it seems that all the vendors are going > down the SSL route. Now I know SSL is 'safe', but it seems like it's > more open to attacks like SSLStrip (thanks again Moxie for making us > aware of the problems!) I get that SSL is easier for administrators > and end users alike, but is that convenience at too high a cost? > > So what are your thoughts? Am I being too paranoid? If there are > articles or places where I should RTFM, that's cool... I just need to > know what FM to read!! Please send the links/info ;-) > > > Thanks for your input, and have a nice day! > - Mick > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
