Vulnerability, Attack, Defense

Split Tunneling

Cross-Site Request Forgery

And You

Mary Henthorn

OIT Senior Technology Analyst

February 8, 2007

Thoughts for Today

The Vulnerability Split Tunneling

An Attack Cross-Site Request Forgery

The Defense You!

Split Tunneling Vulnerability

What?

When?

Why

Virtual Private Network

Secure path between server and client usually described as a tunnel

Split Tunnel

Connection to an outside system Can use client as agent to deliver

payload

Split Tunnels Happen

Client device connects to: Internet Network application Local devices Local network

Why Have Split Tunnels?

Performance Bandwidth conservation Multi-tasking habits Access to local network Access to printers Internet Connection Sharing (ICS) VPN as a Band-Aid

An Attack

VPN as a Band-Aid Doesn’t completely isolate sessions

Cross-Site Request Forgery

Can defeat VPN Facilitated by Split Tunneling Facilitated by XSS vulnerabilities Can be delivered by worms Can be delivered by botnets

Fast - Resilient Complexity depends on target application

CSRF by Any Other Name

CSRF XSRF Injection, code injection Session riding Hostile linking CSRF – pronounced “sea surf” One click attack Confused deputy attack

CSRF

Attacker tricks client (agent) into sending the malicious request

CSRF Attack

Study target application Forge the attack Make attack available to agent Let agent deliver attack “Veni, vidi, vici.”, Samy

Code that Picks the Lock

<img src="https://www.books.com/clickbuy?book=BookID&quantity=100">

You! Good Network Defender!

Educate users Apply security patches and updates Use anti-virus protection Use firewalls Keep browser security high Develop safe applications Alternate access to services

Best Defense No Split Tunneling

Cisco Nortel Citrix UC Davis Thomas Shinder – ISA Server Thomas Berger – Univ. of Salzburg

Defense-in-Breadth

Defense-in-Depth as implemented On or off Expect 100% Even 90% can be costly

Synergistic Security Multiple complimentary controls Each < 100% Combination increases security

Split-Tunneling, Good Practice

Educate users Client security Firewalls Risk vs. Cost Multiple solutions

Vulnerabilities = Attacks