Agencies | Online Services | Policies
   
 
DIS Home Products and Services Guide Policies/Standards/Best Practices Contact D I S Get to know D I S Career Opportunities IT Security
 

 

Security Resources
Continuity of Operations Program
Computer Cleaning Guidelines
Cyber Security Toolkit
Newsletters
Resources on Security Issues
Standards
Brochures
Identity Theft Information and Resources
Sign up for Cyber Security Alerts
 

Vulnerability, Attack, Defense:
Split Tunneling - Cross-Site Request Forgery And You


Mary Henthorn, OIT Senior Technology Analyst
February 8, 2007

Thoughts for Today

  • The Vulnerability
    • Split Tunneling
  • An Attack
    • Cross-Site Request Forgery
  • The Defense
    • You!

Split Tunneling Vulnerability

  • What?
  • When?
  • Why?

Virtual Private Network

  • Secure path between server and client usually described as a tunnel
    Split Tunnel
    Connection to an outside system
    Can use client as agent to deliver payload

Split Tunnels Happen

  • Client device connects to:
    • Internet
    • Network application
    • Local devices
    • Local network

Why Have Split Tunnels?

  • Performance
  • Bandwidth conservation
  • Multi-tasking habits
  • Access to local network
  • Access to printers
  • Internet Connection Sharing (ICS)
  • VPN as a Band-Aid

An Attack

  • VPN as a Band-Aid
  • Doesn’t completely isolate sessions

Cross-Site Request Forgery

  • Can defeat VPN
  • Facilitated by Split Tunneling
  • Facilitated by XSS vulnerabilities
  • Can be delivered by worms
  • Can be delivered by botnets
    • Fast - Resilient
  • Complexity depends on target application

CSRF by Any Other Name

  • CSRF
  • XSRF
  • Injection, code injection
  • Session riding
  • Hostile linking
  • CSRF – pronounced “sea surf”
  • One click attack
  • Confused deputy attack

CSRF

  • Attacker tricks client (agent) into sending the malicious request

CSRF Attack

  • Study target application
  • Forge the attack
  • Make attack available to agent
  • Let agent deliver attack
  • “Veni, vidi, vici.”, Samy

Code that Picks the Lock

  • <img src="https://www.books.com/clickbuy?book=BookID&quantity=100">

You! Good Network Defender!

  • Educate users
  • Apply security patches and updates
  • Use anti-virus protection
  • Use firewalls
  • Keep browser security high
  • Develop safe applications
  • Alternate access to services

Best Defense No Split Tunneling

  • Cisco
  • Nortel
  • Citrix
  • UC Davis
  • Thomas Shinder – ISA Server
  • Thomas Berger – Univ. of Salzburg

Defense-in-Breadth

  • Defense-in-Depth as implemented
    • On or off
    • Expect 100%
    • Even 90% can be costly
  • Synergistic Security
    • Multiple complimentary controls'
    • Each < 100%
    • Combination increases security

Split-Tunneling, Good Practice

  • Educate users
  • Client security
  • Firewalls
  • Risk vs. Cost
  • Multiple solutions

Vulnerabilities = Attacks

 
   
 
| Site Map | Accessibility/Security/Privacy | Copyright | About DIS | Contact DIS | Arkansas.gov
© Department of Information Systems 1997-2008. All Rights Reserved.