Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How safe is a VPN connexion from within an internal network?

from [David Jacoby] Network Security [Permanent Link]
Subject: Re: How safe is a VPN connexion from within an internal network?
Date: Thu, 23 Nov 2006 08:49:53 +0100 
Hi Jeffrey (and other readers)

Thank you for your response, please see my comments below.


Jeffrey F. Bloss wrote:

David Jacoby wrote:


There are a few solutions for this, ive seen some VPN clients that
disconnects the client machine from the Internet once the VPN
connection is established, this will prevent the attacker to keep his
connection because the client machine only allows connection to be
sent to the remote network via the VPN client, no other connections
are allowed.


Just out of idle curiosity, how would one "disconnect the client from
the Internet" when it's typically the Internet that's being used to
establish the VPN tunnel? :)


Well, sorry if my English was not 100% clear to everyone, the "method"
which is used to restrict access to Internet is that when the VPN
connection is established you may only access the machines which are
located withint the VPN.


I suppose a piece of software could go to great lengths trying to
prevent any and all connections that weren't VPN, but this would be a
daunting task even if we weren't adding to the mix a condition like
being compromised. Even without that I just don't see this alleged
disconnection as being all that comforting, and a cracker mucking
around in your machine for a few minutes might turn it into one of
those (false sense of) security nightmares. 


Well i do understand what you are trying to say, but im not saying
that its the ideal solution, Im trying to explain that it will be more
difficult or attackers who are for example accessing the compromised
machine via a backchannel, listening backdoor or something similar
because when the VPN connection is established no other outbound
connections (which is not used for keeping the VPN connection online)
is allowed.

By doing this you will also force the user to do what he is supposed
to do over the VPN connection and then disconnect, my personal thought
on VPN is that you should not have a idle VPN connection established,
if the machine gets compromised i do not want other people to use my
VPN session.

It doesn't matter if i authenticate with my fingerprint or iris
because when the connection is established anyone with access to my
box can use my session.


I hope that you understand what im trying to say, if you have any
further questions do not hesitate to contact me again.


Best regards,
David Jacoby







-- 

David Jacoby
Vice President Customer Experience
http://www.outpost24.com

phone: +46-(0)455-612311
fax  : +46-(0)455-13960
email: dj@outpost24.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  US-CCU Cyber-Security Check List 2007, lists@virtualcso.com
Next by Date:  RE: files containing web llinks, David Gillett
Previous by Thread:  Re: How safe is a VPN connexion from within an internal network?, Joseph Jenkins
Next by Thread:  Re: How safe is a VPN connexion from within an internal network?, Peter Fuggle
Indexes:  [Date] [Thread] [Top] [All Lists]