Real Geek Forums > Archives > Operating Systems > Windows Vista > Windows Vista Security > Vista Business, VPN, and Split Tunnels

Vista Business, VPN, and Split Tunnels

Posted: 08-09-2007, 03:30 AM
thinkstorm
Guest
Posts: n/a
 
Hi all,
in [Control Panel>Network Connections] in my VPN Connection's
[Properties->Networking->IPv4 Properties->Advanced->IP Settings], I
disabled the "Use Default Gateway on Remote Network". When starting
the VPN connection, I can now browse the Internet over my 8MB Comcast
Cable, and access the company [192.168.48.* MASK 255.255.255.0] subnet
through my VPN. Fine.

Because I also need a couple of other servers and applications in some
Intranet places, I grab my VPN IP address from 'ipconfig', and then
manually want to add some routes.

First problem 'route delete 192.168.48.*' fails - so I use 'route
delete 192.168.48.0'. great. Now:

route add 192.168.48.0 mask 255.255.255.0 <VPNIPAddress>
route add 192.168.47.0 mask 255.255.255.0 <VPNIPAddress>
route add 172.16.0.0 mask 255.255.0.0 <VPNIPAddress>
route add 192.168.9.0 mask 255.255.255.0 <VPNIPAddress>
route add 192.168.80.0 mask 255.255.255.0 <VPNIPAddress>

ok, I hope I got everything now... My more important question: did I
compromise the security of the company Intranet by using a VPN split
tunnel - can someone from outside now access the Intranet (without ICS
enabled!)?

Cheers,
Thorsten

Reply With Quote

Responses to "Vista Business, VPN, and Split Tunnels"

Jesper
Guest
Posts: n/a
 
RE: Vista Business, VPN, and Split Tunnels
Posted: 08-09-2007, 04:14 PM
Yes, any time you use a split tunnel you compromise the security of the
company. You just turned that computer into a router between the Internet and
the internal network at the company. It is a rather big security risk.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"thinkstorm" wrote:
> Hi all,
> in [Control Panel>Network Connections] in my VPN Connection's
> [Properties->Networking->IPv4 Properties->Advanced->IP Settings], I
> disabled the "Use Default Gateway on Remote Network". When starting
> the VPN connection, I can now browse the Internet over my 8MB Comcast
> Cable, and access the company [192.168.48.* MASK 255.255.255.0] subnet
> through my VPN. Fine.
>
> Because I also need a couple of other servers and applications in some
> Intranet places, I grab my VPN IP address from 'ipconfig', and then
> manually want to add some routes.
>
> First problem 'route delete 192.168.48.*' fails - so I use 'route
> delete 192.168.48.0'. great. Now:
>
> route add 192.168.48.0 mask 255.255.255.0 <VPNIPAddress>
> route add 192.168.47.0 mask 255.255.255.0 <VPNIPAddress>
> route add 172.16.0.0 mask 255.255.0.0 <VPNIPAddress>
> route add 192.168.9.0 mask 255.255.255.0 <VPNIPAddress>
> route add 192.168.80.0 mask 255.255.255.0 <VPNIPAddress>
>
> ok, I hope I got everything now... My more important question: did I
> compromise the security of the company Intranet by using a VPN split
> tunnel - can someone from outside now access the Intranet (without ICS
> enabled!)?
>
> Cheers,
> Thorsten
>
>
Reply With Quote
thinkstorm
Guest
Posts: n/a
 
Re: Vista Business, VPN, and Split Tunnels
Posted: 08-09-2007, 04:40 PM
On Aug 9, 11:14 am, Jesper <Jes...@discussions.microsoft.com> wrote:
> Yes, any time you use a split tunnel you compromise the security of the
> company. You just turned that computer into a router between the Internet and
> the internal network at the company. It is a rather big security risk.
>
I don't know if I agree on the "router" term - is it actually possible
to "route" IP packets from external sources, through my firewall,
through NAT, to an IP address within the VPN? How's the routing
between interfaces affected, if I don't allow ICS?

Thorsten

Reply With Quote
Jesper
Guest
Posts: n/a
 
Re: Vista Business, VPN, and Split Tunnels
Posted: 08-09-2007, 04:56 PM
Yes, it is possible. If you receive packets with an internal source address
on the external interface it will send the response to the internal address.
There are obviously some restrictions with this, but it is perfectly
sufficient to propagate some attacks to the inside, for instance.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"thinkstorm" wrote:
> On Aug 9, 11:14 am, Jesper <Jes...@discussions.microsoft.com> wrote:
> > Yes, any time you use a split tunnel you compromise the security of the
> > company. You just turned that computer into a router between the Internet and
> > the internal network at the company. It is a rather big security risk.
> >
>
> I don't know if I agree on the "router" term - is it actually possible
> to "route" IP packets from external sources, through my firewall,
> through NAT, to an IP address within the VPN? How's the routing
> between interfaces affected, if I don't allow ICS?
>
> Thorsten
>
>
Reply With Quote
thinkstorm
Guest
Posts: n/a
 
Re: Vista Business, VPN, and Split Tunnels
Posted: 08-09-2007, 07:20 PM
On Aug 9, 11:56 am, Jesper <Jes...@discussions.microsoft.com> wrote:
> Yes, it is possible. If you receive packets with an internal source address
> on the external interface it will send the response to the internal address.
> There are obviously some restrictions with this, but it is perfectly
> sufficient to propagate some attacks to the inside, for instance.
Neat idea Yes, I see how that could work... So the question is:
is my firewall better than the company's firewall (because I can
access the Internet through the VPN connection, only that I then would
exit through the T1 that is shared with my 50 co-workers...)

Thanks Jesper, I will look for someone to do a little audit about that
issue...

Cheers,
Thorsten


Reply With Quote
Steve Riley [MSFT]
Guest
Posts: n/a
 
Re: Vista Business, VPN, and Split Tunnels
Posted: 08-15-2007, 01:37 PM
(...didn't see this other thread about the same issue, but I'll reply here
as well...)

Prior versions of Windows implemented the "weak end-system" (as opposed to
the "weekend system," haha) model in the IP stack. Windows Vista implements
the "strong end-system" model, which makes the kind of attack Jesper
describes less likely. Here's a description of the differences, quoted from
http://www.microsoft.com/technet/com...uy/cg0905.mspx
(there, the Cable Guy uses the term "host model" rather than "end-system
model):

When a unicast packet arrives at a host, IP must determine whether the
packet is locally destined (its destination matches an address that is
assigned to an interface of the host). IP implementations that follow a weak
host model accept any locally destined packet, regardless of the interface
on which the packet was received. IP implementations that follow the strong
host model only accept locally destined packets if the destination address
in the packet matches an address assigned to the interface on which the
packet was received. The current IPv4 implementation in Windows XP and
Windows Server 2003 uses the weak host model. The Next Generation TCP/IP
stack supports the strong host model for both IPv4 and IPv6 and is
configured to use it by default. You can configure the Next Generation
TCP/IP stack to use a weak host model. The weak host model provides better
network connectivity. However, it also makes hosts susceptible to
multihome-based network attacks.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley


"thinkstorm" <thorsten.claus@gmail.com> wrote in message
news:1186683655.796898.222350@b79g2000hse.googlegr oups.com...
> On Aug 9, 11:56 am, Jesper <Jes...@discussions.microsoft.com> wrote:
>> Yes, it is possible. If you receive packets with an internal source
>> address
>> on the external interface it will send the response to the internal
>> address.
>> There are obviously some restrictions with this, but it is perfectly
>> sufficient to propagate some attacks to the inside, for instance.
>
> Neat idea Yes, I see how that could work... So the question is:
> is my firewall better than the company's firewall (because I can
> access the Internet through the VPN connection, only that I then would
> exit through the T1 that is shared with my 50 co-workers...)
>
> Thanks Jesper, I will look for someone to do a little audit about that
> issue...
>
> Cheers,
> Thorsten
>
>
Reply With Quote
 
LinkBack Thread Tools Display Modes
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Vista Business Having problems maintaining mapping to Vista Ultimate Share tinkertech Windows Vista Networking & Sharing 1 02-18-2008 10:45 PM
[Vista Business] Not recognize 4GB Ram - SonyVaio VGN-SZ57N/C + Vista Business ADO. Inconnu Windows Vista Performance & Maintenance 8 11-25-2007 11:53 PM
Printer Sharing - Vista Home Preminum/Vista Business Ernie Windows Vista Networking & Sharing 3 04-24-2007 04:03 PM
Trying to remote desktop over IPsec tunnels Colin Swan Windows XP Work Remotely 1 12-13-2004 11:07 AM
Using SSH tunnels Greg DePasse Windows XP Work Remotely 2 03-03-2004 01:35 AM