Search This Blog

Friday, June 19, 2009

firewall-wizards Digest, Vol 38, Issue 9

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. VPN Split-tunneling: Your opinion? (AMuse)
2. Re: VPN Split-tunneling: Your opinion? (Paul Melson)


----------------------------------------------------------------------

Message: 1
Date: Thu, 18 Jun 2009 23:05:01 -0700
From: AMuse <amuse@foofus.com>
Subject: [fw-wiz] VPN Split-tunneling: Your opinion?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4A3B2A8D.2020002@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi all; If this is offtopic, feel free to smack me over TCP.

I was wondering what each of your opinions are RE: VPN Split-tunneling.
Do you consider a split-tunnel setup to be particularly risky to allow
from a security point of view? Compared to typical (modern) exploits
such as trojans via email, XSS, web based attacks, etc - do you think
that the risk of a client becoming misconfigured and allowing routing
into the private network via a split tunnel is particularly prevalent?


------------------------------

Message: 2
Date: Fri, 19 Jun 2009 09:31:40 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] VPN Split-tunneling: Your opinion?
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <001201c9f0e2$480c4a90$d824dfb0$@com>
Content-Type: text/plain; charset="US-ASCII"

> I was wondering what each of your opinions are RE: VPN Split-tunneling.
> Do you consider a split-tunnel setup to be particularly risky to allow
from a security > point of view? Compared to typical (modern) exploits such
as trojans via email, XSS,
> web based attacks, etc - do you think that the risk of a client becoming
misconfigured > and allowing routing into the private network via a split
tunnel is particularly
> prevalent?

I think, for client VPN configurations, that split tunnel versus full tunnel
setups are a dead horse. The original thinking was that you didn't want a
computer to be simultaneously connected to a trusted network and an
untrusted network. If those requirements are still part of your
architecture, then do full tunnel. But in terms of actual risk, by having
the client machine run with a host firewall that doesn't allow incoming
connections (which is pretty standard fare for all vendors), you address the
risk of someone bouncing through your clients from an untrusted network.

Are there still attacks against VPN client systems that can get by a host
firewall? Absolutely. However, full tunnel does little to nothing to
prevent them. Most malware we see today does some form of phone-home from
the client for C&C. If your full tunnel VPN configuration allows connected
clients to access the Internet, that phone-home is still going to work
(though centralized firewall & IPS will be in play). Even if your full
tunnel setup prevents C&C, malware can still get on the client while it's
disconnected and will gain access to your trusted network when the client
connects. Having live C&C is not a necessity for theftware to pilfer data
off of file shares or have a worm spread across the VPN tunnel.

PaulM


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 38, Issue 9
***********************************************

No comments: