Secure Tunneling. Only with more Control!!!

Nick_Cameo · July 13, 2013, 1:36pm

Not having to hijack http://seclists.org/nanog/2013/Jul/251, and
without further ado,

It wouldn't be. When the endpoint in question is compromised, there isn't
any amount of tunneling or obscurity between point a and point b that will
resolve it. Only thing you can do is change to a solution that you have more
control over.
Sent on the TELUS Mobility network with BlackBerry

This just got very interesting. Given that we do not own any Microsoft
products here, and still able to function like any other corporation,
I am more interested in a "solution that you have more control over"
secured connections. We currently are using OpenVPN and PKI, coupled
with a company policy of key updates every 3 months this will only get
incrementally more complex as the number of clients increase. Not to
mention one only needs a 3 minutes....

Question: What other options do we have to maintain a secure
connection between client and server that gives us more control over
traditional OpenVPN+PKI. It would be nice to be able to deploy private
keys automatically to the different clients however, seems like a
disaster waiting to happen.

I would really appreciate some of your takes on this matter, what
types of technology, policies are being employed out there for secure
connections.

Kind Regards,

Nick.

Ryan_Malayter · July 16, 2013, 4:40pm

Your current solutions sounds entirely reasonable... except your clients still
surf the web, don't they? That is the biggest attack vector: browser
and other client program exploits are rampant on *all platforms*.
Witness the multitudes of image library bugs on Linux, which basically
have allowed remote execution via webpage with a crafted image since
the early 1990s. Every browser and OS combo, yes even Firefox on
Linux, gets popped in each year's P0wn2Own contest.

If you can execute code on the client, you can usually find one of the
hundreds of local privilege escalation bugs stil there. Then you can
compromise any private keys and certs on it, as well as any user
credentials stored or entered on the machine. This makes it easy to
pivot into the core of the target's network without being noticed, and
is in fact how many penetration tests and "APT" or "watering hole"
hacks succeed. They attack clients and pivot into the target network.

So the solution would be: don't let your clients ever touch anything
outside your private walled garden. Which is exactly what
high-security installations in the defense and government sectors do:
they are air-gapped from the Internet. Tough to get a lot of work done
that way, and function as a business.