vulnerability, attack, defense split tunneling cross-site request forgery and you mary henthorn oit...
TRANSCRIPT
![Page 1: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/1.jpg)
Vulnerability, Attack, Defense
Split Tunneling
Cross-Site Request Forgery
And You
Mary Henthorn
OIT Senior Technology Analyst
February 8, 2007
![Page 2: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/2.jpg)
Thoughts for Today
The Vulnerability Split Tunneling
An Attack Cross-Site Request Forgery
The Defense You!
![Page 3: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/3.jpg)
Split Tunneling Vulnerability
What?
When?
Why
![Page 4: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/4.jpg)
Virtual Private Network
Secure path between server and client usually described as a tunnel
![Page 5: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/5.jpg)
Split Tunnel
Connection to an outside system Can use client as agent to deliver
payload
![Page 6: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/6.jpg)
Split Tunnels Happen
Client device connects to: Internet Network application Local devices Local network
![Page 7: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/7.jpg)
Why Have Split Tunnels?
Performance Bandwidth conservation Multi-tasking habits Access to local network Access to printers Internet Connection Sharing (ICS) VPN as a Band-Aid
![Page 8: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/8.jpg)
An Attack
VPN as a Band-Aid Doesn’t completely isolate sessions
![Page 9: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/9.jpg)
Cross-Site Request Forgery
Can defeat VPN Facilitated by Split Tunneling Facilitated by XSS vulnerabilities Can be delivered by worms Can be delivered by botnets
Fast - Resilient Complexity depends on target application
![Page 10: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/10.jpg)
CSRF by Any Other Name
CSRF XSRF Injection, code injection Session riding Hostile linking CSRF – pronounced “sea surf” One click attack Confused deputy attack
![Page 11: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/11.jpg)
CSRF
Attacker tricks client (agent) into sending the malicious request
![Page 12: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/12.jpg)
CSRF Attack
Study target application Forge the attack Make attack available to agent Let agent deliver attack “Veni, vidi, vici.”, Samy
![Page 13: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/13.jpg)
Code that Picks the Lock
<img src="https://www.books.com/clickbuy?book=BookID&quantity=100">
![Page 14: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/14.jpg)
You! Good Network Defender!
Educate users Apply security patches and updates Use anti-virus protection Use firewalls Keep browser security high Develop safe applications Alternate access to services
![Page 15: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/15.jpg)
Best Defense No Split Tunneling
Cisco Nortel Citrix UC Davis Thomas Shinder – ISA Server Thomas Berger – Univ. of Salzburg
![Page 16: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/16.jpg)
Defense-in-Breadth
Defense-in-Depth as implemented On or off Expect 100% Even 90% can be costly
Synergistic Security Multiple complimentary controls Each < 100% Combination increases security
![Page 17: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/17.jpg)
Split-Tunneling, Good Practice
Educate users Client security Firewalls Risk vs. Cost Multiple solutions
![Page 18: Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c735503460f94924d21/html5/thumbnails/18.jpg)
Vulnerabilities = Attacks