Re: Home users with VPN connections

[<ladhanikarim () yahoo com>]

In-Reply-To: <20030313171520.7128.qmail () www securityfocus com>

It is very likely and possible for a user of a VPN to be the conduit for
an attack to the inside of a network in the following circumstances (not
comprehensive however):

1. You've enabled your users to have a "split-tunnel" - In effect, the
user is on the Internet and has established a tunnel to the (lets say)
corporate network. At the same time he is allowed to talk outside the
tunnel to the Internet in general while the tunnel is running. If the
user is not careful (e.g. personal firewall, anti-virus, runs
windows...) they can be used as an entry point to the network as they
are acting as a router between two nets (public and private). Typically
split-tunneling is not permitted. While the user is connected to the
corporate lan via VPN, they are not permitted to talk to any endpoint
but the VPN endpoint.

2. How? The user, while not on the VPN (maybe) was compromised by an
external attacker and Sub7 or BackOrifice was placed on their home
machine. Again, lack of sufficient controls on the home PC. When the
user connects in, if Split-Tunneling is permitted, the attacker can
control the PC and make connections inward to the organization. In my
experience, the home PC is not *controlled* enough for corporate
security purposes. The user has admin rights, his kids use it, they
download bad stuff and run it...I've found that not permitting any
machine other than corporately secured and controlled ones to be a good
idea.

3. Split-tunneling may not even be needed though. While the machine is
on the net (but not the VPN) or even at work, plugged into the network,
an attacker places net-cat client and script on the box so that when
they next connect (or do something specific) it sends a reverse telnet
out to the internet, via the corporate gateway, to the attacker to use.
Sure, this relies on a lot of stuff for both the client and corp
network, but it is possible. Maybe I didn't remote control the machine
to get access, but I compromised it prior to VPN connection and it gave
me access maybe I shouldn't have.

A lot of this comes down, IMHO, to the security of the client. If you
cannot reasonably secure that, then performing a perimeter extending act
of allowing a VPN is a mistake. If a VPN is absolutely required, special 
attention must be given to the security of that host ie a personal 
firewall, making sure there is some form of anti virus with updated 
signatures etc.

To mitigate this vulnerability, only company-issued laptops should be 
used -
with only company-issued software running on them. If the user attempts to
install another type of software, the laptop smacks them across the face
with its disk drive. A host based IDS/firewall should also be installed, as
well as the latest anti-virus software that scans both internet
inbound/outbound material, but removable media as well. And that's only the
beginning. 

I'm all for the impossible: making employees financially responsible for 
any
damage they introduce to the company infrastructure by using their personal
equipment. The first time they pay off their $50K debt to the company for a
virus they brought with them, they'll have learned the lesson.


-- Karim


> Received: (qmail 2979 invoked from network); 14 Mar 2003 00:09:37 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 14 Mar 2003 00:09:37 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id A9526A30DE; Thu, 13 Mar 2003 17:02:24 -0700 (MST)
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 4369 invoked from network); 13 Mar 2003 17:19:50 -0000
> Date: 13 Mar 2003 17:15:20 -0000
> Message-ID: <20030313171520.7128.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: Jonathan Grotegut <jgrotegut () directpointe com>
> To: security-basics () securityfocus com
> Subject: Home users with VPN connections
>
>
>
> Forgive me if this seems trivial or "newbieish" but I am new to 
> the "Security" end of computing.
>
> With the new CERT Advisory CA-2003-08.  I got me to thinking "What are 
> others policies, procedures, and requirements for home users connecting 
> via VPN to a corporate network?"
>
> When a person connects a VPN connection from their home to the office, 
> they can very easily have a Trojan or a virus.  This would allow for easy 
> infection or access to the corporate network.
>
> What are what are your thoughts on policies, procedures, requirements 
for  
> VPN users connecting to the corporate network as far as Password 
> requirements, Personal Firewalls, Virus Software, Etc.?
>
> Thanks in advance for your sugestions.  By the way our clients vary.  Our 
> clients are all in different professions, meaning we have everything from 
> health care providers to mortgage companies to printing companies.
>
> Jonathan Grotegut
> DirectPointe