Re: openVPN- is it dangerous?

darin.marais · ‎08-16-2004

Some time back I leant of a program called openVPN (http://openvpn.sourceforge.net) that will allow internal connections past the firewall using a tunnel via the network proxy server and then out onto the internet to a server.

Since the client uses the SSL/TLS protocol, this makes it impossible to detect.

Do security personnel consider this type of tunnelling to be dangerous for the network? Opinions are welcome

1.How can this be detected by the NIDS?

2.What are the defence recommendations for the proxy server?

james.e.mcwilliams · ‎08-16-2004

I consider it as a very dangerous as a security person. The one good thing is your avarage user isn't going to know how to use it but there are sites out there (GoToMyPC) that makes the same issue easy for a normal user to do the same thing (tunnel into your network).

There is a couple of sigs already in the Cisco NIDS for HTTP tunneling but I am not sure about SSL. I am not sure you could make a sig unless there is a common string openVPN uses to set up its tunnel or something like that. Then you could put that in a sig and catch all hits.

As for recommendations for the proxy server the most secure way to do this would to be limit all of your users external access to only sites you have verified. The next less secure way would be to put in a web filtering app and filter everything into the groups they give you and don't allow anything else. The last way I would say is make it a company policy to not allow anyone to use these types of things and punish them if they do.

darin.marais · ‎10-28-2004

I am determined to find a signature to capture and trigger an event when the proxy server in a network has been used to create an external openVPN tunnel to a device on the internet using the tool openvpn.

I captured some data from a host installed with open VPN and the initial data connection looks as follows. The initial connection is a "normal" http connect to the server.

65 7.836821 my.host my.proxy TCP 2609 > my.proxy_port [SYN] Seq=791162879 Ack=0 Win=16384 Len=0

66 7.838030 my.proxy my.host TCP my.proxy_port > 2609 [SYN, ACK] Seq=3813686421 Ack=791162880 Win=49640 Len=0

67 7.838099 my.host my.proxy TCP 2609 > my.proxy_port [ACK] Seq=791162880 Ack=3813686422 Win=17520 Len=0

68 7.839615 my.host my.proxy HTTP CONNECT x.x.x.x:remote port HTTP/1.0

69 7.840447 my.proxy my.host TCP my.proxy_port > 2609 [ACK] Seq=3813686422 Ack=791162919 Win=49640 Len=0

76 8.839737 my.host my.proxy HTTP Continuation

77 8.840527 my.proxy my.host TCP my.proxy_port > 2609 [ACK] Seq=3813686422 Ack=791162972 Win=49640 Len=0

However later on in the connection the host negotiates an openssl connection to generate the certificate and pushes the string “OpenSSL Generated Certificate.r e..”. I have given the full packet below.

Frame 159 (286 bytes on wire, 286 bytes captured)

Internet Protocol, Src Addr: my.host (my.host), Dst Addr: my.proxy (my.proxy)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 272

Identification: 0x6cef (27887)

Flags: 0x04

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 128

Protocol: TCP (0x06)

Header checksum: 0xd214 (correct)

Source: my.host (my.host)

Destination: my.proxy (my.proxy)

Transmission Control Protocol, Src Port: 2609 (2609), Dst Port: my.proxy_port (my.proxy_port), Seq: 791164632, Ack: 3813690550, Len: 232

Source port: 2609 (2609)

Destination port: my.proxy_port (my.proxy_port)

Sequence number: 791164632

Next sequence number: 791164864

Acknowledgement number: 3813690550

Header length: 20 bytes

Flags: 0x0018 (PSH, ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 1... = Push: Set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 16482

Checksum: 0xc9ad (correct)

Hypertext Transfer Protocol

Data (232 bytes)

.......0......E.

..l.@...........

...1.L/(6..PL.P.

@b.....r e....).

8.........._ZO..

.g.........0..0.

..U....0.0...`.H

...B........0,..

`.H...B......Ope

nSSL Generated C

ertificate.r e..

Is there a way to build a Cisco signature that will first look for the http connect to the proxy server and then at an infinite position in the stream detect this specific content string.