Vista Business, VPN, and Split Tunnels

[thinkstorm]

Hi all,
in [Control Panel>Network Connections] in my VPN Connection's
[Properties->Networking->IPv4 Properties->Advanced->IP Settings], I
disabled the "Use Default Gateway on Remote Network". When starting
the VPN connection, I can now browse the Internet over my 8MB Comcast
Cable, and access the company [192.168.48.* MASK 255.255.255.0] subnet
through my VPN. Fine.

Because I also need a couple of other servers and applications in some
Intranet places, I grab my VPN IP address from 'ipconfig', and then
manually want to add some routes.

First problem 'route delete 192.168.48.*' fails - so I use 'route
delete 192.168.48.0'. great. Now:

route add 192.168.48.0 mask 255.255.255.0 <VPNIPAddress>
route add 192.168.47.0 mask 255.255.255.0 <VPNIPAddress>
route add 172.16.0.0 mask 255.255.0.0 <VPNIPAddress>
route add 192.168.9.0 mask 255.255.255.0 <VPNIPAddress>
route add 192.168.80.0 mask 255.255.255.0 <VPNIPAddress>

ok, I hope I got everything now... My more important question: did I
compromise the security of the company Intranet by using a VPN split
tunnel - can someone from outside now access the Intranet (without ICS
enabled!)?

Cheers,
Thorsten

 

[Guest]

Yes, any time you use a split tunnel you compromise the security of the
company. You just turned that computer into a router between the Internet and
the internal network at the company. It is a rather big security risk.

 

[thinkstorm]

Yes, any time you use a split tunnel you compromise the security of the
company. You just turned that computer into a router between the Internet and
the internal network at the company. It is a rather big security risk.

I don't know if I agree on the "router" term - is it actually possible
to "route" IP packets from external sources, through my firewall,
through NAT, to an IP address within the VPN? How's the routing
between interfaces affected, if I don't allow ICS?

Thorsten

 

[Guest]

Yes, it is possible. If you receive packets with an internal source address
on the external interface it will send the response to the internal address.
There are obviously some restrictions with this, but it is perfectly
sufficient to propagate some attacks to the inside, for instance.

 

[thinkstorm]

Yes, it is possible. If you receive packets with an internal source address
on the external interface it will send the response to the internal address.
There are obviously some restrictions with this, but it is perfectly
sufficient to propagate some attacks to the inside, for instance.

Neat idea Yes, I see how that could work... So the question is:
is my firewall better than the company's firewall (because I can
access the Internet through the VPN connection, only that I then would
exit through the T1 that is shared with my 50 co-workers...)

Thanks Jesper, I will look for someone to do a little audit about that
issue...

Cheers,
Thorsten

 

[Steve Riley [MSFT]]

(...didn't see this other thread about the same issue, but I'll reply here
as well...)

Prior versions of Windows implemented the "weak end-system" (as opposed to
the "weekend system," haha) model in the IP stack. Windows Vista implements
the "strong end-system" model, which makes the kind of attack Jesper
describes less likely. Here's a description of the differences, quoted from
http://www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx
(there, the Cable Guy uses the term "host model" rather than "end-system
model):

When a unicast packet arrives at a host, IP must determine whether the
packet is locally destined (its destination matches an address that is
assigned to an interface of the host). IP implementations that follow a weak
host model accept any locally destined packet, regardless of the interface
on which the packet was received. IP implementations that follow the strong
host model only accept locally destined packets if the destination address
in the packet matches an address assigned to the interface on which the
packet was received. The current IPv4 implementation in Windows XP and
Windows Server 2003 uses the weak host model. The Next Generation TCP/IP
stack supports the strong host model for both IPv4 and IPv6 and is
configured to use it by default. You can configure the Next Generation
TCP/IP stack to use a weak host model. The weak host model provides better
network connectivity. However, it also makes hosts susceptible to
multihome-based network attacks.

Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley