split tunneling
DESCRIPTION
Split TunnelingTRANSCRIPT
-
Vulnerability, Attack, DefenseSplit TunnelingCross-Site Request ForgeryAnd YouMary HenthornOIT Senior Technology AnalystFebruary 8, 2007
-
Thoughts for TodayThe VulnerabilitySplit TunnelingAn AttackCross-Site Request ForgeryThe DefenseYou!
-
Split Tunneling VulnerabilityWhat?
When?
Why
-
Virtual Private NetworkSecure path between server and client usually described as a tunnel
-
Split TunnelConnection to an outside systemCan use client as agent to deliver payload
-
Split Tunnels HappenClient device connects to:InternetNetwork applicationLocal devicesLocal network
-
Why Have Split Tunnels?PerformanceBandwidth conservationMulti-tasking habitsAccess to local network Access to printersInternet Connection Sharing (ICS)VPN as a Band-Aid
-
An AttackVPN as a Band-AidDoesnt completely isolate sessions
-
Cross-Site Request ForgeryCan defeat VPNFacilitated by Split TunnelingFacilitated by XSS vulnerabilitiesCan be delivered by wormsCan be delivered by botnetsFast - ResilientComplexity depends on target application
-
CSRF by Any Other NameCSRFXSRFInjection, code injectionSession ridingHostile linkingCSRF pronounced sea surfOne click attackConfused deputy attack
-
CSRFAttacker tricks client (agent) into sending the malicious request
-
CSRF AttackStudy target applicationForge the attackMake attack available to agentLet agent deliver attackVeni, vidi, vici., Samy
-
Code that Picks the Lock
-
You! Good Network Defender!Educate usersApply security patches and updatesUse anti-virus protectionUse firewallsKeep browser security highDevelop safe applicationsAlternate access to services
-
Best Defense No Split TunnelingCiscoNortelCitrixUC DavisThomas Shinder ISA ServerThomas Berger Univ. of Salzburg
-
Defense-in-BreadthDefense-in-Depth as implementedOn or offExpect 100% Even 90% can be costlySynergistic SecurityMultiple complimentary controlsEach < 100%Combination increases security
-
Split-Tunneling, Good PracticeEducate usersClient securityFirewallsRisk vs. CostMultiple solutions
-
Vulnerabilities = Attacks