[vpn] Clarity

Tina Bird tbird at precision-guesswork.com
Mon Nov 19 18:06:48 EST 2001 

I also appreciated Sandy's summary of the server-side
issues with VPNs, but I'm somewhat bemused that no one's
mentioned the remote-side issues.  That is, no matter
how solid the security implementation of the VPN server
is, no matter how well the administrator secures the
device itself, almost all VPN installations are vulnerable
to attacks against the internal network from remote
machines that are already authenticated and authorized.
Piggy-back attacks, and all that.

We've had a couple rounds of discussion on this list
discussing ways to protect your internal network from
compromised remote systems, including

1) Stringent access control on the server that limits
the protocols and hosts to which remote systems can
connect

2) Aggressive time-outs

3) PC or remote-system firewalls that prevent other
netwrok connections from being active when the remote
host is connected to the gateway.

To some extent, it's not terribly interesting to me that
VPN server implementations are broken.  Hell, server
implementations are broken for every kind of technology
I've ever used.  What I'm most interested in are the ways
in which VPNs introduce >new< risks, and how I can
mitigate them.

A rare posting from your friendly moderator -- tbird

On Mon, 19 Nov 2001, Stephen Chowning wrote:

> Date: Mon, 19 Nov 2001 16:00:51 -0800
> From: Stephen Chowning <schowning at home.com>
> To: 'VPN mailing list' <VPN at securityfocus.com>
> Subject: Re: [vpn] Clarity
> 
> 
> 
> Sandy Harris wrote:
> 
> > Stephen Chowning wrote:
> >
> > > A recent thread on this list had two people agreeing that all current
> > > implementations of vpn can be compromised. Since I didn't read any
> > > dissenting opinions, I assume that no-one disagrees. I hate to assume,
> > > so I am looking for people with opinions to chip in.
> >
> > It is not particularly interesting or useful to speak of whether some
> > system "can be compromised" without specifying some sort of threat
> > model.
> 
> A very thorough analysis, thanks Sandy. Very helpful. I understand all of
> the brute force and circumvent methods of attack, i.e. physical security,
> and high tech "Sneakers" type attacks, and either accept the risk, or can
> take steps to secure the data. The threat model that I am focusing on is
> hardware/software vulnerabilities of the VPN hardware/software itself from
> the average black hat who might be trying to access my system just to see
> what is there, or a slightly more focused attacker, after my clients'
> personal and valuable info. Reasonable due diligence protection, IOW.
> 
> Loki states: "Albeit that every VPN I've pen-tested, I was either able to
> compromise with a root shell due to improper configurations, or able to
> completely circumvent due to flaws in bridging code within the VPN."
> 
> Forgive my ignorance, but by "improper configurations" does he mean that
> the device was set up incorrectly, thus implying that correct config would
> eliminate this flaw? If so, this would mean that the person configing the
> device was flawed, not the technology itself.
> 
> The second item, flaws in bridging code is greek to me. Perhaps someone
> would be kind enough to elaborate in a way that a newbie would understand.
> 
> Loki admits that his testing does not extend to software based VPN's. Is
> there any consensus as to their vulnerabilities? Better than hardware?
> 
> >
> >
> > If the opponent has huge resources and no restrictions so he can do
> > more-or-less anything, then he can likely break most anything. For
> > one thing, there's "rubber hose cryptography"; torture the sysadmin
> > until you get the key. Or bribery, blackmail, ... Or hi-tech spy-tech
> > using anything from a hidden video camera that records your screen
> > and keystrokes to gadgets that do the same at a distance by decoding
> > radiation from your computer.
> >
> > Also, even assuming the VPN software is perfect, it depends on many
> > other things for its security.
> >
> > If the underlying operating system is insecure, then once an EvilDoer
> > has root on that, he'll likely have no trouble breaking the VPN. To
> > have any hope of a secure VPN, you need secure hosts.
> >
> > Be extremely reluctant to run anything but VPN software on your VPN
> > gateway. Consider putting the firewall on a separate machine, in
> > front of the VPN gate. Don't even think about putting mail or web
> > servers, or user accounts, or disks shared by NFS or SMB, or ...
> > on your VPN gate, or on the firewall. If you do install those,
> > then a hole in them gives the enemy root on your gateway and
> > compromises your VPN.
> >
> > There are also lots of policy and procedure questions. Can I get
> > physical access to your VPN machine? If so, can I reboot it off a
> > floppy I've brought and read your disks? That will break your VPN.
> >
> > Can an employee tap your internal network and pull the VPN machine's
> > root password out of some dumb admin's unencrypted link to it? Can
> > I get the whole disk contents by stealing a backup tape? Did you
> > change the password after you fired whats-his-name?
> >
> > If your VPN uses IPsec and your threat model allows the assumptions
> > that:
> >         your gateways are adequately physically secure
> >         all admin staff with privileged access are trustworthy
> >         your OS is secure against remote exploits
> >          (some combination of OS choice, your careful setup, and
> >          continuous moitoring of both logs and vulnerability
> >          reports, possibly a firewall in front of the gateway)
> >         you administer the gateways competently
> >         you take sensible precautions against attacks from within
> >          your organisation
> >          (SSH for all remote logins, switched ethernets to
> >           make eavesdropping harder, possibly internal firewalls)
> >
> > Then the IPsec protocols look completely secure to me. Of course,
> > that doesn't mean a flawed implementation will be secure.
> >
> > VPN is sponsored by SecurityFocus.com
> 
> --
> --If you try to fail, and then succeed, what've you really done?--
> 
> 
> 
> VPN is sponsored by SecurityFocus.com
> 

"I was being patient, but it took too long." - 
                                Anya, "Buffy the Vampire Slayer"

Log Analysis: http://www.counterpane.com/log-analysis.html
VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list