Vulnerability, Attack, DefenseSplit TunnelingCross-Site Request ForgeryAnd YouMary HenthornOIT Senior Technology AnalystFebruary 8, 2007

Thoughts for TodayThe VulnerabilitySplit TunnelingAn AttackCross-Site Request ForgeryThe DefenseYou!

Split Tunneling VulnerabilityWhat?

When?

Why

Virtual Private NetworkSecure path between server and client usually described as a tunnel

Split TunnelConnection to an outside systemCan use client as agent to deliver payload

Split Tunnels HappenClient device connects to:InternetNetwork applicationLocal devicesLocal network

Why Have Split Tunnels?PerformanceBandwidth conservationMulti-tasking habitsAccess to local network Access to printersInternet Connection Sharing (ICS)VPN as a Band-Aid

An AttackVPN as a Band-AidDoesnt completely isolate sessions

Cross-Site Request ForgeryCan defeat VPNFacilitated by Split TunnelingFacilitated by XSS vulnerabilitiesCan be delivered by wormsCan be delivered by botnetsFast - ResilientComplexity depends on target application

CSRF by Any Other NameCSRFXSRFInjection, code injectionSession ridingHostile linkingCSRF pronounced sea surfOne click attackConfused deputy attack

CSRFAttacker tricks client (agent) into sending the malicious request

CSRF AttackStudy target applicationForge the attackMake attack available to agentLet agent deliver attackVeni, vidi, vici., Samy

Code that Picks the Lock

You! Good Network Defender!Educate usersApply security patches and updatesUse anti-virus protectionUse firewallsKeep browser security highDevelop safe applicationsAlternate access to services

Best Defense No Split TunnelingCiscoNortelCitrixUC DavisThomas Shinder ISA ServerThomas Berger Univ. of Salzburg

Defense-in-BreadthDefense-in-Depth as implementedOn or offExpect 100% Even 90% can be costlySynergistic SecurityMultiple complimentary controlsEach < 100%Combination increases security

Split-Tunneling, Good PracticeEducate usersClient securityFirewallsRisk vs. CostMultiple solutions

Vulnerabilities = Attacks