lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Jun 2010 10:20:40 -0400
From: Jeffrey Walton <noloader@...il.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	Daniel Sichel <daniels@...derosatel.com>
Subject: Re: RDP, can it be done safely?

Hi Thor,

> I only bring this up because I think one should consider
> the ramifications of the “VPN first” model before assuming
> it grants you some inherent security.
My experience in the enterprise and the work-at-home crowd has been:
(1) VPN into corpnet
(2) Land at a TS (users) or JumpBox (Admins)

I've read your reply a few times, so please forgive my ignorance: What
are you claiming? (1) There are technologies other than VPN? (2) Don't
use VPN? (3) Use Windows Firewall and IP filtering? (4) Use RDP over
HTTPS for single sign on? Again, my apologies.

> However, when it comes to a network-level “least privilege”
> standpoint, I think there are stark differences:  The VPN
> endpoint typically will give the end user full-stack IP acces
>  to resources unless otherwise specified.
In this respect, how is VPN any different than a user walking in to
the office, punching in, and signing on at the computer in their cube?

For the Admin, its allow VPN to TS or jumpbox. Then network security
applies. Or am I missing something in your statements?

> RDP endpoints however only require the specified RDP port to access the host.
This is kind of Apples and Oranges.... The vpn GIVES acces to TCP/IP,
while rdp REQUIRES that 3389 be open on the host. Perhaps I misread
you.

Jeff

On Wed, Jun 9, 2010 at 11:58 PM, Thor (Hammer of God)
<Thor@...merofgod.com> wrote:
>
> I request that you start thinking about RDS/TS/RDP as a “direct” technology.  Treating access via RDP as something that one must first VPN/RAS into a corpnet first in order to secure properly obscures what one might consider obvious:
>
> If you require me to logon to your network via VPN first before I can subsequently connect to internal RDP resources, one might consider the VPN endpoint as the primary authentication point.  As such, one might logically conclude that since access was granted via the VPN, that internal access to RDP resources would be considered “safe.”  In this model, what is the difference between me authenticating to the VPN endpoint as opposed to me authenticating to an RDP endpoint?
>
> Insofar as the authentication layer is concerned, there really isn’t a difference.  However, when it comes to a network-level “least privilege” standpoint, I think there are stark differences:  The VPN endpoint typically will give the end user full-stack IP access to resources unless otherwise specified.  RDP endpoints however only require the specified RDP port to access the host.  What happens after a successful connection to the host is up to the admin.   In the case of RDP via TSGateway, we find that one can deploy a server at the “connection-level” using client certificates – not only for encryption upon connection, but for validation TO connect in the first place.
>
> To me, that is an important distinction.
>
> VPN endpoint authentication might lead to the propensity for one to consider access to down-range resources as authorized.  I don’t think you should do that when you consider the capabilities an attacker has given an “open pipe” once authenticated versus an single protocol access to a machine you can tightly control.
>
> I only bring this up because I think one should consider the ramifications of the “VPN first” model before assuming it grants you some inherent security.
>
> t
>
>  [SNIP]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ