Jump to content

Xp Firewall And Vpn


joeypesci

Recommended Posts

So how secure really is the XP firewall? As far as I'm aware it's shit. Any decent hacker (of which I'm not) would be able to get round it. So when I'm told in a corporate environment "The Windows firewall needs to be on when a user is off the corporate network and connecting in from home via VPN. Because if someone does a man in the middle attack and the firewall isn't on, they can compromise the system (laptop) and then have full access to the VPN network.".

I understand that without the firewall the laptop is open and you could jump onto it and then have access to the VPN connection. However, even with the XP Firewall on, I felt this would just prevent casual hacker, someone who knows small amounts and would not know how to get around the firewall. But anyone with some knowledge would easily be able to circumvent the XP firewall.

The way this VPN seems to work is the user will go to a secure web address that is works. Then connect using their VASCO token and may have access to some virtual desktops via some icons in the browser (IE). If they don't have that access the only access they have is access to OWA e-mail.

So, if there was no firewall what would someone in a man in the middle attack have access to? As far as I'm aware, even if the firewall was on and they were doing a man in the middle attack. Surely they could use SSL strip to get to the OWA data?

I'm not expect. What does everyone else think?

Link to comment
Share on other sites

I think you have to protect yourself against 99% of the hackers that cannot easily penetrate a fully patched system with effective controls placed on it (firewall, HIDS/HIPS, anti-malware, whatever). You have to assume that 1% of the hackers can still get in and you have to give yourself enough time and monitoring to catch that 1% before they can do damage. You have to follow the law of diminishing returns and lost opportunity in the business world to really appreciate this I think. You know, the real world, not a contrived theoretical one :). To be closer to 100% secured, unplug and destroy.

You should not terminate your VPN on your internal network anyway...it should terminate into a dmz and have a metric buttload of logging and content inspection between the appliance and the internal network. You should also have a VPN solution that is not configured to allow split-tunneling if you are concerned with this. Granted they only hack the local routing table, with good defense in depth (ie, no administrator privs for the remote user) it becomes less trivial to defeat. Force all traffic, while connected via VPN, to the VPN endpoint and subject that traffic to the same inspection methods that internal corporate users are subjected to. I would go another step further and disallow all network traffic on the mobile laptop unless it is connected via VPN or on an internal network if you want to be really tight.

It is all about security vs convenience, there is no point in having systems that end users cannot use...kind of like regulating businesses until they cannot afford to be in business...

Link to comment
Share on other sites

If they had access on the laptop, while it was connected to the VPN, then they would have access to everything the user has access to, and anything else they can compromise on the far end of the VPN connection potentially.

A lot of smaller companies have their VPN endpoint appliance sitting on their corporate network and hand VPN clients an internal corporate DHCP address. Therefore, VPN clients would have the same level of access over the VPN that they have while in the office. Therefore, hacking a laptop that is connected via VPN is essentially the same as compromising a host inside the corporate network. If the XP box can be compromised, then the XP firewall is trivial to disable. That being said, it is far more time consuming (this is the WIN, by the way, for security folks) to gain access to a system with little or no open ports, which is how the firewall *should* be configured when off network (on as well, but that is a different story).

Bottom line, XP firewall (especially SP3) is far better than nothing and arguably more than enough to thwart script kiddies if properly configured. Are there better products out there? Absolutely. Is XP firewall good enough? Most likely.

Link to comment
Share on other sites

Just a note. MITM, say ala Arp Poisoning or arp spoofing, wont be protected when just because Windows firewall is up. Windows VPN however uses tunneling and IPSec, which encrypts the traffic, so the person trying to MITM wont be able to see anything. However. If they managed to compromise your machine in the process, get a reverse shell, etc, then they would have access to the same things you have access to. Especially if your machines credentials are part of a domain and you are accessing shares on the corporate network, he could dump your hashes and even pass the hash without even needing to know the password in order to login to the corporate network as you.

Either way, make sure you have the windows firewall on if you don't use anything else. Not many firewalls will protect against arp poisoning and session hijacking anyway, so at a minimum, use the windows firewall! I wouldn't worry too much about MITM'ing a VPN connection unless your machine is compromised though.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...