In-Reply-To: <[EMAIL PROTECTED]> It is very likely and possible for a user of a VPN to be the conduit for an attack to the inside of a network in the following circumstances (not comprehensive however):
1. You've enabled your users to have a "split-tunnel" - In effect, the user is on the Internet and has established a tunnel to the (lets say) corporate network. At the same time he is allowed to talk outside the tunnel to the Internet in general while the tunnel is running. If the user is not careful (e.g. personal firewall, anti-virus, runs windows...) they can be used as an entry point to the network as they are acting as a router between two nets (public and private). Typically split-tunneling is not permitted. While the user is connected to the corporate lan via VPN, they are not permitted to talk to any endpoint but the VPN endpoint. 2. How? The user, while not on the VPN (maybe) was compromised by an external attacker and Sub7 or BackOrifice was placed on their home machine. Again, lack of sufficient controls on the home PC. When the user connects in, if Split-Tunneling is permitted, the attacker can control the PC and make connections inward to the organization. In my experience, the home PC is not *controlled* enough for corporate security purposes. The user has admin rights, his kids use it, they download bad stuff and run it...I've found that not permitting any machine other than corporately secured and controlled ones to be a good idea. 3. Split-tunneling may not even be needed though. While the machine is on the net (but not the VPN) or even at work, plugged into the network, an attacker places net-cat client and script on the box so that when they next connect (or do something specific) it sends a reverse telnet out to the internet, via the corporate gateway, to the attacker to use. Sure, this relies on a lot of stuff for both the client and corp network, but it is possible. Maybe I didn't remote control the machine to get access, but I compromised it prior to VPN connection and it gave me access maybe I shouldn't have. A lot of this comes down, IMHO, to the security of the client. If you cannot reasonably secure that, then performing a perimeter extending act of allowing a VPN is a mistake. If a VPN is absolutely required, special attention must be given to the security of that host ie a personal firewall, making sure there is some form of anti virus with updated signatures etc. To mitigate this vulnerability, only company-issued laptops should be used - with only company-issued software running on them. If the user attempts to install another type of software, the laptop smacks them across the face with its disk drive. A host based IDS/firewall should also be installed, as well as the latest anti-virus software that scans both internet inbound/outbound material, but removable media as well. And that's only the beginning. I'm all for the impossible: making employees financially responsible for any damage they introduce to the company infrastructure by using their personal equipment. The first time they pay off their $50K debt to the company for a virus they brought with them, they'll have learned the lesson. -- Karim >Received: (qmail 2979 invoked from network); 14 Mar 2003 00:09:37 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 14 Mar 2003 00:09:37 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id A9526A30DE; Thu, 13 Mar 2003 17:02:24 -0700 (MST) >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Received: (qmail 4369 invoked from network); 13 Mar 2003 17:19:50 -0000 >Date: 13 Mar 2003 17:15:20 -0000 >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Jonathan Grotegut <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Home users with VPN connections > > > >Forgive me if this seems trivial or "newbieish" but I am new to >the "Security" end of computing. > >With the new CERT Advisory CA-2003-08. I got me to thinking "What are >others policies, procedures, and requirements for home users connecting >via VPN to a corporate network?" > >When a person connects a VPN connection from their home to the office, >they can very easily have a Trojan or a virus. This would allow for easy >infection or access to the corporate network. > >What are what are your thoughts on policies, procedures, requirements for >VPN users connecting to the corporate network as far as Password >requirements, Personal Firewalls, Virus Software, Etc.? > >Thanks in advance for your sugestions. By the way our clients vary. Our >clients are all in different professions, meaning we have everything from >health care providers to mortgage companies to printing companies. > >Jonathan Grotegut >DirectPointe >
