[lopsa-discuss] hardware VPN devices for laptops?

Trey Harris trey at eecs.harvard.edu
Tue Dec 20 23:40:41 PST 2005 

In a message dated Wed, 21 Dec 2005, William Reading writes:
> On Dec 21, 2005, at 12:43 AM, Marius Strom wrote:
>> IMHO, if the user is skilled enough to route their home LAN through the
>> software VPN, they'll do similar with the hardware box and a little
>> router on the backend. :)
>
> I can definitely agree with this one--having been a user on at least several 
> large corporate networks, I haven't run across one yet that doesn't appear to 
> be vulnerable to someone setting up a reverse ssh tunnel to connect from 
> home.

I have.  It didn't allow outbound SSH, and everything outbound was 
proxied.  There were SSH bastions you could ssh to and use to ssh out, but 
those ssh clients were hobbled so that you could only do terminal service.

I suppose if you were really perverse you could run PPP over that.  But 
you can use Hamachi or an equivalent to tunnel over SSL--so the only way 
to eliminate this "vulnerability" is to deny employees Internet access.

At some point, you have to trust your employees.  Like I said in my prior 
message, I'm much more concerned with employee stupidity than employee 
maliciousness.

> Additionally (and with the above SSH trick in mind), does having the hardware 
> router really help if a determined attacker has compromised the software on 
> the machine?

It does "help", in that you don't have a new unsecured egress point to the 
Internet to deal with.  You have malware on your network, but it's 
internal to your network.  It has no administrative access to the hardware 
VPN, so it cannot compromise your border security.  So the situation is no 
different from any desktop on your LAN being infected with malware. 
Whatever policies you put in place to deal with that should also apply to 
the laptops.

It goes without saying that in addition to the two inviolate rules I 
mentioned before, "do not let anyone else use your laptop" and "do not let 
the laptop out of your sight without locking it up" are required too. 
Password-protecting login, screen savers, and wake-from-sleep should go 
without saying.

Like all security policy, this all has to be taken from a risk-mitigation 
standpoint.  You're not going to protect yourself 100%.  So consider the 
likely attacks and protect yourself accordingly.

Trey

More information about the Discuss mailing list