vulnerability, attack, defense split tunneling cross-site request forgery and you mary henthorn oit...
TRANSCRIPT
Vulnerability, Attack, Defense
Split Tunneling
Cross-Site Request Forgery
And You
Mary Henthorn
OIT Senior Technology Analyst
February 8, 2007
Thoughts for Today
The Vulnerability Split Tunneling
An Attack Cross-Site Request Forgery
The Defense You!
Split Tunneling Vulnerability
What?
When?
Why
Virtual Private Network
Secure path between server and client usually described as a tunnel
Split Tunnel
Connection to an outside system Can use client as agent to deliver
payload
Split Tunnels Happen
Client device connects to: Internet Network application Local devices Local network
Why Have Split Tunnels?
Performance Bandwidth conservation Multi-tasking habits Access to local network Access to printers Internet Connection Sharing (ICS) VPN as a Band-Aid
An Attack
VPN as a Band-Aid Doesn’t completely isolate sessions
Cross-Site Request Forgery
Can defeat VPN Facilitated by Split Tunneling Facilitated by XSS vulnerabilities Can be delivered by worms Can be delivered by botnets
Fast - Resilient Complexity depends on target application
CSRF by Any Other Name
CSRF XSRF Injection, code injection Session riding Hostile linking CSRF – pronounced “sea surf” One click attack Confused deputy attack
CSRF
Attacker tricks client (agent) into sending the malicious request
CSRF Attack
Study target application Forge the attack Make attack available to agent Let agent deliver attack “Veni, vidi, vici.”, Samy
Code that Picks the Lock
<img src="https://www.books.com/clickbuy?book=BookID&quantity=100">
You! Good Network Defender!
Educate users Apply security patches and updates Use anti-virus protection Use firewalls Keep browser security high Develop safe applications Alternate access to services
Best Defense No Split Tunneling
Cisco Nortel Citrix UC Davis Thomas Shinder – ISA Server Thomas Berger – Univ. of Salzburg
Defense-in-Breadth
Defense-in-Depth as implemented On or off Expect 100% Even 90% can be costly
Synergistic Security Multiple complimentary controls Each < 100% Combination increases security
Split-Tunneling, Good Practice
Educate users Client security Firewalls Risk vs. Cost Multiple solutions
Vulnerabilities = Attacks