Porous Compartmentalization within Web Browsers Undermines SSL VPN

Researchers at DefCon 2009 recently published a comprehensive study on the unexplored opportunities for malware makers on attacking the interoperability of applications and their plug-ins, particularly web browsers. I recently posted an article on this blog articulating the nature and significance of these risks that indicate that web browser vulnerabilities are at least one or two orders of magnitude more numerous than previously thought. In short, the data interactions of any single web browser tab or window ought to be private and unadulterated by any other software object within the web browser. It isn’t so and will not be for a long time. Note, malware within a web browser is and manipulates other software objects.

Many information security practitioners recommend the use of two or more separate web browser applications to better compartmentalize web activities from others until the promise of web browsers spawning separate processes per tab/window is convincingly demonstrated over time. This slight digression raises another point about endpoint policy enforcement and authentication (two sub-sections below).

SSL VPN More Vulnerable to Malware Infested Computer Risks

But malware on a computer with IPSec or any other form of VPN is just as susceptible, right? Yes and no! Yes, malware intended to steal information can do so on either. However, with SSL VPN, the malware need only adapt to eavesdropping on web communications, whereas with IPSec VPN the malware must do so for all relevant applications. Similarly, altering or conducting additional activities is easier too. Further, an SSL VPN session can literally be hijacked, such that remotely controlled malware can continue to covertly use it without an end-user’s knowledge.

SSL VPN End-user Convenience versus Enterprise Security

More important than the above comparative susceptibility, however, end-users can use ANY computer to launch an SSL VPN session. Detecting malware after infestation, particularly on machines that run with local admin rights, is nearly pointless with the increased use of 3rd generation Rootkit based malware. Cyveillance recently found signature-based tools failed to detect over 71% of the malware samples they gathered in the wild that were less than a month old to test. I recently wrote another article concerning the data leak risks to organizations allowing employees to work from employee owned computers.

Man-in-the-browser malware is among the toughest to detect and deter.  Sophisticated attacks from compromised or malicious websites, for example, employ public key cryptography to effectively obfuscate their malware attack code as it enters or leaves a computer (e.g., “Lucky Sploit” Malware ToolKit). If the attack code limits its operations to within the web browser, the chances of its detection are far, far less than if it tries to ‘venture out of the browser’.   So SSL VPN communications are easier for malware to compromise than IPSec.

SSL VPN vendors offer browser plug-ins to assess the status of security software on a computer. This says nothing about the state of the computer an hour, day, or a year earlier. With today’s stealthy malware, endpoint health assessment must ultimately be a continuous, cradle to grave, practice. Employees understandably would have reservations about their employers continuously monitoring an employee-owned computer.

SSL VPN Must Require a Dedicated Web Browser that is Site-Locked

Cross site scripting attacks, for which no near term, practical defense yet exists, utterly confuse web browsers and their end-users such that they do not know whom they are communicating. An organization that must use SSL VPN can enforce policies that site lock a web browser to one or more SSL VPN gateway IP addresses. Malicious and mischievous end-users can circumvent policy enforcement tools not specifically designed to prevent this, however. Browser applets cannot do so continuously.

SSL VPN vendors could theoretically employ web browser applets that rigorously interrogate a web browser seeking an SSL VPN session to determine whether or not it truly is the designated web browser. Frankly, I don’t know if the vendors actually offer such a capability yet, or whether this proves effective. And keep in mind, the article reference above concerning browser/plug-in/library object interoperability, as well as object integrity shortcomings (not all web browsers provide for digitally signed validation of software objects), SSL VPN plug-ins and other software objects present and are subject to other problems.

Regardless, SSL VPN gateways do not effectively authenticate computers (not to be confused with end-user authentication). So, if one ignores the risks from the host computer, dedicated, site-locked web browsers can reduce risks.

SSL VPN Depends on End-users Properly Responding to Man-in-the-Middle Attacks

Indirectly, the preceding sections imply man-in-the-browser attacks, whereby malicious software objects unknowing operate within the browser to eavesdrop, manipulate, and even hijack a session. Man-in-the-middle attacks, however, generally exploit end-user ignorance. Most end-user click on a web browser’s continue button when a prompt says the ‘certificate for this server is invalid’, trying to alert the end-user to the attack. Like opening email attachments, organizations can tell end-users not to do so, but they do. And, they will click that ‘continue’ button too. Endpoint policy enforcement tools can ensure end-user discretion is eliminated. But then, we return to the challenge of the SSL VPN gateway authenticating the browser, the computer, and the end-user too.

Side-story: Years ago, I showed a marketing colleague something on my computer display. It was a prompt from my web browser, alerting me to some web server’s invalid certificate. She agreed to make a quality screenshot of it. Almost immediately, she questioned why her display was so different from mine. She had clicked ‘continue’ on the prompt and said she always does so. The poor thing then endured one of my lectures.

Remember, end-user authentication is essential and most forms in use are vulnerable to man-in-the-middle attacks. One-time pass code systems authenticate the end-user but not the SSL VPN gateway. Out-of-band authentication (e.g., cell phone text message) is a worthy mechanism if it at least implicitly authenticates the SSL VPN gateway too. Client VPN software completely eliminates dependence on end-users making the correct security choice.

SSL VPN Fine Grained Filtering Compared to IPSec and Local Ethernet Switches

SSL VPN gateways perform proxy operations insofar as remote access user computers do not communicate directly with anything on the other side of the SSL VPN gateway. This proxy server functionality benefits organizations because it can filter out risky content such as HTML ‘put’ arguments that would try to write something to a server. Such filtering reduces the exposure of important servers to the endpoint population. Most SSL VPN gateways include such capabilities. As to what percentage of deployments actually makes significant use of it, I cannot say.

One might ask, however, how many organizations employ a proxy server between local end-users and their important servers? After all, Ethernet switches do not do so. Any endpoint, remote or local, is a potential malware infested threat to all enterprise servers. How commonly do they internally deploy an SSL VPN gateway for this purpose? Are SSL VPN gateways sufficiently compatible with ALL of the enterprise applications employed? Doubtful!

Enterprise content filtering is becoming more and more comprehensive. They perform both proxy and non-proxy filtering of traffic. Does it make sense to effectively manage two sets of proxy servers: one for local endpoints and SSL VPN gateways for remote computers? Deploying a single system for both local and remote computers is considerably more practical. From this perspective, there are operational savings from using a layer 2 client VPN solution for remote access to protect important servers from the risks from client endpoint exposure.

SSL VPN Offers Lower Operations Costs

Presumably, SSL VPN does not require installation of persistent client software, sparing organizations of installation and software testing requirements. However, SSL VPN vendor value-add capabilities, which help make their data sheets and marketing materials look impressive, often do install persistent client software. When features require local admin rights for first-use, then persistent client software is in play, which can fail, be exploited, and must be patched/updated from time to time. I wrote of this in a white paper called the “Case for Agent-based NAC Solutions”. This tends to undermine the argument that SSL VPN doesn’t require client side testing and life-cycle support but Client VPN software does.

Client VPN, however, always requires software installation. I can appreciate the dilemma of small medium businesses lacking a centralized software distribution and configuration management system.
However, those that do have them, such as federal organizations that must comply with Federal Desktop Core Configuration (FDCC) requirements and large commercial organizations can push out software installations quite easily.

So, it comes down to known operations costs versus unknown security losses. SSL VPN represents a massive data leak risk. Yet, with the inability to detect malware infestations, man-in-the-browser attacks, and man-in-the-middle attacks, how would an organization plausibly know what data they are leaking daily, particularly if unknown computers are used for SSL VPN connections?   No easy answer, so turn this perspective around to a basic security question: do you know where your data and documents are, and where they’ve been? Many security practitioners argue if this answer is grossly unknown, then one cannot assert having good security. SSL VPN exacerbates this challenge.

Do SSL VPN Security Weaknesses Matter to Organizations?

The primary purpose for SSL VPN deployment is to provide low operations cost remote access to organization employees so they can access and input data so their employers benefit from increased productivity. Ideally, organizations also consider security a primary factor in SSL VPN deployment, seeking private communications without tampering by outside parties and reduced exposure of the application servers to malice. Given that most of my concerns regarding SSL VPN security have been expressed for years and SSL VPN continues to be so widely employed, is SSL VPN security really a priority among IT decision-makers, or are those professionals really unaware of them?

If One Must Use SSL VPN, Invest in Computer Protection

Blue Ridge offers several computer protection products, AppGuard, AppGuard Enterprise, and EdgeGuard, and a managed security service called Managed EdgeGuard. They protect computers from malware attack code of all ages whereas anti-virus/spyware products found on nearly all enterprise computers are only effective at stopping malware over a month old and used extensively by cyber criminals in the wild. Equally important, from both the end-user and enterprise administrator, they are considerably more ‘usable’ than alternatives from other vendors.

Secondly, encourage your end-users to use one web browser for SSL VPN, and FOR NOTHING ELSE. Consult your SSL VPN provider for its most robust mechanisms for rejecting other web browsers. The dual browser strategy reduces the risks from man-in-the-browser threats.

For More SSL VPN Risk Mitigation, Invest in Computer Protection AND Control

The above recommendation depends upon the voluntary compliance of end-users to NOT use the SSL VPN dedicated web browser for OTHER purposes. Organizations can eliminate this dependence with EdgeGuard and Managed EdgeGuard, which can lock-down web browsers in the manner implied above, even when end-users operate their computers with local admin rights.

The EdgeGuard solutions can also provide IT personnel considerable operational awareness into the state of their endpoint population to identify and quantify their risks. Further, EdgeGuard can then enforce the subsequent security configuration policies from these audits to dramatically reduce endpoint exposure to attack and data leaks. They can also assess and remediate numerous and common problems in 3rd party security software products. Studies typically reveal that one out of every four enterprise computers are at greater risk because a security software product is out-of-date, disabled, or otherwise underutilized. EdgeGuard identifies and corrects these issues to maximize the value of these investments and minimize endpoint risks. EdgeGuard can also snuff-out unwanted software applications (e.g., peer-to-peer, rogue instant messengers, etc.), assess/implement Microsoft security patches, as well as conduct custom script based assessments and configuration changes uniquely required for an endpoint population.

EdgeGuard is designed NOT to replace typical endpoint management tools but supplement them so organizations do not have to buy into the expensive and sticky all-in-one promises of the big vendors. Consequently, IT personnel do not have to abandon their proficiency with their familiar tools and learn how to use something else.

As much employee work is conducted on employee-owned computers, employers are justifiably concerned about the security of these computers. Some employees are opposed to their employer managing EdgeGuard agents on their home computers but are more open to a trustworthy third party, such a Managed Edgeguard.

For Organizations with Much to Lose, Little to Spend, and a Need for Truly Secure Remote Access for Telecommuters/Teleworkers

Supplementing the above endpoint security solutions, Blue Ridge offers the BorderGuard VPN product and a Managed VPN managed security service to deliver highly secure and end-user friendly remote access. These solutions have been deployed world-wide for over a decade.

They employ IPSec VPN technology that employs a proprietary key exchange process, which is largely responsible for the lack of any reported vulnerabilities or security breaches for over a decade. If one goes to the National Vulnerability Database and searches on the keyword ISAKAMP, an acronym associated with all other IPSec offerings, no other vendor can boast such a record.

The key exchange process, called security enhanced Internet key exchange (SE-IKE) envelopes the entire key exchange process within mandatory mutual public key authentication, which literally double encrypts each key exchange message with two different RSA keys. Consequently, SE-IKE is immune to protocol attacks, man-in-the-middle attacks, and others, whereas all other IPSec and SSL VPN offerings are not. Note, most IPSec deployments of other vendor offerings utilize shared secret keys, which expose their VPN to virtually undetectable man-in-the-middle attacks if just one of their unpatched VPN appliances/routers is compromised. Unlike SSL VPN, Blue Ridge VPN solutions eliminate dependence on end-users making correct security decisions.

These BorderGuard solutions can use either the PKI credentials facilitated by their central management system or utilizes 3rd party PKI credentials such as DoD CAC and HSPD-12.

BorderGuard remote access differs considerably from SSL VPN and other IPSec offerings in another prominent ways too. Each remote access connection or tunnel is a truly layer 2 connection whereas SSL VPN and other IPSec offerings are not. Any application/communication protocol that can traverse Ethernet, does so problem-free through a BorderGuard tunnel, which is like a secure Ethernet extension-chord. And lastly, BorderGuard tunnels add considerably less bandwidth, latency, and jitter overhead. Case in point, BorderGuard tunnels secure satellite VOIP communications among Iraqi ministry and other government facilities. Other well-known products had added too much overhead, leaving only BorderGuard solutions operational.

Related Articles:

Flaws in Web Browser Security Undermine SSL VPN Security

PC Malware Driven Security Breach Disclosures—A Case of Worms

Data Leak Prevention and Network Access Protection (NAP)

Websites Unknowingly Attacking PCs

Is a PC Using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Employee Owned Computers are Data Leak Risks to Employers

Never Ending Vulnerabilities for Web Browsers

2. Your vendor will not sign up to a security SLA. Security breaches are a common occurance these days. There are many well publicised breaches that have cost millions of dollars to cleanup and untold dollars in customer confidence. Yet, for you to compete effectively requires real-time access to store and customer data to make sure shelves are stocked and customers can fly through the checkout lanes. However, the constant movement of data increases your exposure to the risk of data loss. A security SLA will ensure your network provider keeps up with the latest PCI-DSS requirements and will help you sleep better at night. 

3. The quality of Vendor support declines as your contract ages. All vendors promise good customer service, but few can deliver. How long does it take to make a change to your network configuration? How responsive is your Support Representative? When was the last time you received a call from your vendor just to ‘check in”? Is 24×7x365 Level 1 support included in your contract? Retailers are constantly challenged to deliver outstanding customer service. You should receive nothing less from your network provider.

4. Your network prevents you from rolling out innovative revenue generating programs. With consumers spending less during these lean economic times, retailers must get creative in how they capture and maintain the customer relationship. Inevitably this means developing loyalty programs that require customer data during an in-store transaction. If your network is incapable of rapidly delivering data, you will likely be unable to introduce the types of programs that diferentiate you from the competition. A next generation fast, low cost data network will provide the foundation for deploying data intensive programs that increase sales and keep customers.

5. You are constantly hit with unexpected charges and expenses. Running on tight margins, retailers especially, need to have a handle on their network costs. Providers that get your business with a low monthly bid just to “nickel and dime” you throughout the term of the contract make the budgeting and reporting processes difficult at best and create an environment of distrust. Look for data network providers that charge a fixed monthly fee, regardless of the number of network changes or helpdesk calls. Also negotiate with the provider to deploy your network with no up front capital expenses.

Blue Ridge Can Significantly Lower Your Store Connection Costs and Increase Connection Speeds

At a Black Hat Europe Conference last April a team of researchers released tools that can automate attacks on MPLS and Ethernet backbone technologies.  According to one of the researchers,”These technologies do not provide any security themselves, but just rely on the assumption that the underlying network is secure.”

As MPLS VPNs evolved from proprietary networks to supporting internet-based services, so did their risk of attack increase. German researcher Ray says,”Enterprises that use these VPN services should be aware they are vulnerable. Perform risk analysis and encrypt your traffic.  ”Just because it’s called MPLS VPN [doesn't mean] you should [automatically] trust it.”

Many retailers followed their service providers advice and simply migrated from Frame Relay and ATM networks to MPLS.  However, over time the majority of problems meant to be solved by MPLS no longer exist, and holes in the technology are being exploited. 

Total information security for retail data networks is possible.  Solutions using PKI technology, unique digital certificates with mutual mandatory authentication between security appliances, end-to-end data encryption and data integrity checking can provide a standalone data network solution or act as the security layer for
an existing MPLS VPN network.

Retailers need to re-examine wide area networking technologies and topologies as they seek to optimize the security, reliability and cost of their current data network.

Blue Ridge Military Grade VPN, Fully Managed Solution

The table below lists the findings, states the potential impact, and prescribes one or more countermeasures.

1. Changing security settings on computers

• (Risk) Increases exposure to malware and hacker attacks that can disclose sensitive information/credentials and implant malware
• Lock-down security settings with an enterprise solution that continuously monitors and enforces policies on and off the enterprise network, and if necessary, supersedes privileges of end-users running PCs with admin rights

2. Use of unauthorized applications

• (Risk) End-user installed software is frequently unpatched and vulnerable to attacks that disclose sensitive information, implant malware and use PCs as attack platform.
• (Risk) End-users might install software laced with malware that disclose information and use PC as attack platform
• Deploy enterprise application control solution that operates on and off the enterprise network, and if necessary, can supersede end-user admin rights
• Monitor and/or block application launches from user-space (e.g., desktop, ‘My Documents’, etc.), a common home for unauthorized applications. This also blocks drive-by download attacks via web browser

3. Unauthorized network/facility access

• (Risk) Information disclosures and compromise of critical resources
• Implement two-factor authentication: PKI (included with Windows Server 2008), Smart Cards
• Implement Microsoft Network Access Protection, using either 802.1x or IPSec mode
• Enforce fine-grained resource access policies and logically compartmentalize server resources that cannot be readily PKI-enabled

4. Sharing sensitive corporate information

• (Risk) Employees that do not perceive a personal financial loss from information disclosures are major risk to the organization. No solution is 100%!
• Consider secure thin client computing that includes an IPSec client, two-factor PKI authentication, and no general purpose Internet access (content filtering)
• Where general purpose computing is unavoidable: audit, audit, audit!
• Ban removable media (write) and web based email, lock-down PCs, and then decide upon exceptions

5. Sharing corporate devices

• (Risk) Exposes organizations to greater potential for malware infestation and information disclosures
• Lock-down PCs with enterprise solution that fully operates on and off enterprise network
• Supplement PC anti-malware with non-signature-based tools, balancing security with usability
• Audit, audit, audit!

6. Blurring of work and personal devices, communications

• (Risk) Unknown computing devices risk information disclosures and may unwittingly be used to attack networked resources.
• Implement Microsoft Network Access Protection (NAP) to at least compartmentalize information assets into different ‘risk zones’.
• For handheld computer devices, seek out and require system health agents (SHA) to access anything from your NAP enabled intranet.
• By compartmentalizing and effectively regulating all possible conduits to your information assets, you stand a much better chance of implementing various forms of content filtering to prevent bad stuff from coming in and limit what may go out.
• Deploy USB computers. End-users boot their untrustworthy PC from these USB devices, rendering the health of these PCs moot. Its effectively a secure thin client on a stick (see item 4 above)

7. Unprotected devices, computers left logged on and/or unlocked

• Implement and enforce computer settings that automatically log-off idle PCs.

8. Storing logins and passwords on the computer or in obvious places

• (Risk) Compromised credentials lead to information disclosures
• Implement two-factor PKI-based authentication.
• Implement Microsoft NAP in 802.1x or IPSec mode, leveraging PKI smart cards
• PKI enable as many server based resources as practical
• For all other server based resources, rely on your Microsoft NAP implementation to compartmentalize them into ‘risk zones’ that require authentication

9. Losing portable devices containing data

• (Risk) Lost devices are most common source of data loss
• Implement disk encryption solution that automatically encrypts removable media.
• Device control solutions with very fine-grained options can be more trouble than worth.
• Limit handhelds’ access, leverage Microsoft NAP

10. Allowing unsupervised roaming around offices by non-employees

• (Risk) Information disclosures and malware implantations
• Physical security should be addressed by physical security professionals.