[kwlug-disc] OpenVPN (Was: Re: firewall question)
Cedric Puddy
cedric at thinkers.org
Thu Feb 19 00:25:46 EST 2009
Sure, unless you happen to subscribe to the view that most VM
implementations are terribly insecure... (Why is it that any attempt
to reach for certainty while in the presence of the concepts
"computing" and "security" suddenly turns into an Alice in Wonderland
adventure?)
I have heard it claimed that those in the know can trivially use the
guest-to-host OS interfaces in VMWare to gain unrestricted access to
the host systems memory, and can thereby read and write memory from
anything running on that physical box -- I haven't seen it proven, but
would love to see that with my own eyes to be sure.
I'm currently writing it off as more tin-foil-hat stuff at the moment,
but keeping meaning to do some real research, and you know, get one of
those "informed opinion" things I've heard so much about.
Last year when I was a conference, I ran across a couple of folks who
where like "Oh, yeah, knocking over VM's is so easy it's like kiddie
stuff these days <insert jaded hacker i'm so lee7 look here>", but I
didn't actually get around to pinning anyone to the wall about it (so
many things going on, so little time).
On the face of it, it stands to good reason that there could be real
issues -- low level computing can have some pretty delicate bugs
(witness the rarely sung deep genius that goes into a good compiler),
and the benefit of finding an exploitable bug in one of those
interfaces could be very high. Finding issues at that level isn't for
the stupid or lazy, but counting on that never works when you've
talking about a product that's got good commercial mass.
In any event, the "issue" here (or, if you prefer, "tin foil hat
scenario") is that the attacker could theoretically say "HooHa! He's
running in VMware -- lets just subvert the VM, and laugh all the way
to the botnet! (and if he resets, then I'll just nail him again!, or
install a hook in the Host OS kernel to insert my stuff in the guest
when it boots, or ... etc, etc.)"
-Cedric
On 18-Feb-09, at 11:24 PM, Bob Jonkman wrote:
> So would it be better to run a VM as an endpoint to the VPN? Every
> time the connection is established the VM is restarted from the same
> image, locked down by the Corporate IT overlords. If the VPN can only
> connect to the VM virtual address, then is the corporate network safe
> from insecure remote hosts?
>
> --Bob.
>
>
>
> On 17 Feb 2009 at 23:49 unsolicited <kwlug-disc at kwlug.org> wrote
> about "Re: [kwlug-disc] OpenVPN (Was: Re: [...]"
>
> [...]
>
>> I say VPN = BAD for a couple of reasons:
>> (1) You are trusting clients to be good net citizens. Once connected,
>> they are an extension of your network. Typically internal networks
>> aren't as tightly controlled as, say, your internal/external
>> connections. Anyone who touches the keyboard is a risk. You have no
>> control over whom that will be. At least for internal computers, they
>> had to get past reception.
>
>> (2) Typically, the remote access required is a far smaller subset
>> than
>> the entire network. And it's much easier to secure those fewer
>> connections. e.g. Remote e-mail can be done via ssl ports. Frequently
>> that's all they really need. Some VNC's don't allow file transfer,
>> and
>> may be sufficient, assuming a sufficiently small number of clients.
>> Terminal services offer very close to VPN functionality, and have the
>> client operating on your own secured session, not on their own
>> unsecured computer.
>>
>> But, whatever the client wants. And is easy to explain ... click this
>> icon ... voila.
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
| CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
| 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-489-0478
\________________________________________________________
Cedric Puddy, IS Director cedric at thinkers.org
PGP Key Available at: http://www.thinkers.org/cedric
More information about the kwlug-disc
mailing list