C
Charlie42
Hi
Simple question: Can a client infected with a trojan pass it on to a server
via a VPN connection?
Charlie
Simple question: Can a client infected with a trojan pass it on to a server
via a VPN connection?
Charlie
M
Mads Petersen
Charlie42 said:
Yes.
C
Charlie42
Mads Petersen said:
Ok, simple questions calls for simple answers, I guess.
Would you careto elaborate?
The server in question has Symantec Endpoint Security and is fully patched,
hence the network admin says it can not happen. But I am not convinced.
Charlie
T
Tom Willett
www.google.com
: "Mads Petersen" wrote:
:
: > > Simple question: Can a client infected with a trojan pass it on to a
: > > server
: > > via a VPN connection?
: >
: > Yes.
:
: Ok, simple questions calls for simple answers, I guess. Would you
care
: to elaborate?
:
: The server in question has Symantec Endpoint Security and is fully
patched,
: hence the network admin says it can not happen. But I am not convinced.
:
: Charlie
:
:
: "Mads Petersen" wrote:
:
: > > Simple question: Can a client infected with a trojan pass it on to a
: > > server
: > > via a VPN connection?
: >
: > Yes.
:
: Ok, simple questions calls for simple answers, I guess.
Would youcare
: to elaborate?
:
: The server in question has Symantec Endpoint Security and is fully
patched,
: hence the network admin says it can not happen. But I am not convinced.
:
: Charlie
:
:
L
Leonard Grey
Yes, of course. By itself a VPN offers zero protection against malware.
1
1PW
Charlie42 said:Ok, simple questions calls for simple answers, I guess.
to elaborate?
The server in question has Symantec Endpoint Security and is fully patched,
hence the network admin says it can not happen. But I am not convinced.
Charlie
If malware can successfully avoid SEP's heuristics and IDS, and if
matching malware fingerprint(s) haven't made it to the local database
on a timely basis, then the odds are improved /for/ infestation. VPN
(or not), the malware /could/ then be faithfully passed - intact.
If you quoted your network admin verbatim, your admin could have more
carefully couched his remark. No protection system is perfect. A
recent review of Symantec's Endpoint Protection let a /bit/ of malware
get passed. However, overall, SEP is a good product.
<http://www.virusbtn.com/vb100/archive/2009/08>
What are the odds of your SEP protected system being infected from
your servers? Probably fairly low indeed.
D
David H. Lipman
From: "Charlie42" <[email protected]>
| Ok, simple questions calls for simple answers, I guess. Would you care
| to elaborate?
| The server in question has Symantec Endpoint Security and is fully patched,
| hence the network admin says it can not happen. But I am not convinced.
| Charlie
a VPN connection means there is a virtual network tunnel that exists between you and the
network you connect to. While a trojan is not a virus which can self replicate, a trojan
still can be passed from the VPN client to the hosting networking. A VPN is a doorway and
once oped you or anything can step through that doorway. How that happens is another
matter.
| Ok, simple questions calls for simple answers, I guess.
Would you care| to elaborate?
| The server in question has Symantec Endpoint Security and is fully patched,
| hence the network admin says it can not happen. But I am not convinced.
| Charlie
a VPN connection means there is a virtual network tunnel that exists between you and the
network you connect to. While a trojan is not a virus which can self replicate, a trojan
still can be passed from the VPN client to the hosting networking. A VPN is a doorway and
once oped you or anything can step through that doorway. How that happens is another
matter.
S
Shenan Stanley
Charlie42 said:
It looks like you fat-fingered the question and added more later. However -
if there is a network connection/path between two machines - there is a
possibility of passing various types of infections between them.
The VPN connection may be a nice and safe tunnel for your data to run
through against outside intrusion - but you are inside the tunnel -
transferring whatever you want.
Now - the server may have some protection - but if anyone ever says that
anything is unbreakable/cannot be infested/infected - they are wrong or just
overstating the low percentage chance.
C
Charlie42
David H. Lipman said:
Thanks, David and Shenan.
The malware in question was a variant on the rogue Winweb Security program.
I have reinstalled Windows on the client now (a bit over the top, perhaps),
and made sure it is fully updated and protected. As for the server, well, I
figure that is the admin's problem. He's been notified.
Charlie
D
David H. Lipman
From: "Charlie42" <[email protected]>
| Thanks, David and Shenan.
| The malware in question was a variant on the rogue Winweb Security program.
| I have reinstalled Windows on the client now (a bit over the top, perhaps),
| and made sure it is fully updated and protected. As for the server, well, I
| figure that is the admin's problem. He's been notified.
| Charlie
Right. Make sure the VPN client is fully protected.
| Thanks, David and Shenan.
| The malware in question was a variant on the rogue Winweb Security program.
| I have reinstalled Windows on the client now (a bit over the top, perhaps),
| and made sure it is fully updated and protected. As for the server, well, I
| figure that is the admin's problem. He's been notified.
| Charlie
Right. Make sure the VPN client is fully protected.
O
Old Rookie
A VPN is simply another way to access a network though usually a much slower
way. So the same risks can apply as to computers connected to the local
network.
There are ways to minimize the risk such as requiring L2TP to insure
computer is a domain computer since it will need a trusted certificate for
access, configuring packet filtering on the VPN server to manage what
traffic is allowed into the network, using NAP policies to make sure
computers pass health checks [Windows 2008], using VPN endpoint devices
that can scan traffic after it is decrypted and before sent to the network,
and of course making sure that servers are hardened, patched, and protected
with quality AV software.
Steve
way. So the same risks can apply as to computers connected to the local
network.
There are ways to minimize the risk such as requiring L2TP to insure
computer is a domain computer since it will need a trusted certificate for
access, configuring packet filtering on the VPN server to manage what
traffic is allowed into the network, using NAP policies to make sure
computers pass health checks [Windows 2008], using VPN endpoint devices
that can scan traffic after it is decrypted and before sent to the network,
and of course making sure that servers are hardened, patched, and protected
with quality AV software.
Steve
A
Anteaus
The main danger here would be if the client was logged on with a Domain
Admin username and password whilst infected. (or any user/pass combination
that matches an Admin account on the server) In this case the client would
have access to the C$ server share, and in principle could make any change it
likes to the server's OS.
Admin username and password whilst infected. (or any user/pass combination
that matches an Admin account on the server) In this case the client would
have access to the C$ server share, and in principle could make any change it
likes to the server's OS.
O
Old Rookie
You make a great point but I would home a domain administrator would know
better but very possibly not.
Domain administrators should NEVER logon to any domain computer other than a
domain controller or known secure domain administration workstations and
ONLY if they need domain administrator powers to do specific tasks. Most
domain tasks can be delgated to domain users other than domain
administrators.
I always use Restricted Groups to create a group called localadmins in the
administrators group on domain workstations and then add regualr domain user
accounts to that group for those delegated to doing administrator work on
workstations.
Steve
better but very possibly not.
Domain administrators should NEVER logon to any domain computer other than a
domain controller or known secure domain administration workstations and
ONLY if they need domain administrator powers to do specific tasks. Most
domain tasks can be delgated to domain users other than domain
administrators.
I always use Restricted Groups to create a group called localadmins in the
administrators group on domain workstations and then add regualr domain user
accounts to that group for those delegated to doing administrator work on
workstations.
Steve