[vpn-help] Outlook interrupted

[Matthew Grooms]

On 1/26/2012 10:02 PM, Kevin VPN wrote:
>
> Hi Jernej,
>
> I'm disappointed that deleting the route actually works. I just tried
> it. I would have thought (hoped!) that Shrew might watch for things
> messing with the routes and reset them if they change.
>
> I'd think that would be a potential way for trojan to get into an
> organization - wait for a tunnel to come up, enumerate the remote
> network, add a non-tunneled route to it's C&C server and call home for
> instructions. Sort of defeats one of the purposes of a full-tunnel VPN. :(
>

There is no mechanism that I'm aware of the can "lock" a route in the 
OS. You could have two processes fight over which routes it believes 
should be the correct routes for a given point in time. Having a route 
added or removed from your route table can happen at any point by a 
process with the correct privilege level. The only thing the client can 
really do is monitor the route table and potentially disconnect if it 
sees a change.

> Does anyone know if this route hack can be done with other VPN clients
> like Cisco or Juniper?
>

What do you want in a VPN client? IPsec security policies define source 
and destination IP networks and request or require that a transform be 
applied to the traffic pattern to encrypt or authenticate the content. 
It doesn't prescribe any particular methods to ensure that packets are 
allowed to originate from an authorized process. Further more, there is 
no distinction made between server or client insofar as IPsec protocols 
or vanilla IKE are concerned. For additional protection, a firewall and 
anti-malware software should be used to protect your machine. Otherwise 
it could be used as an attack vector to any remote network you may be 
connected to. Some VPN clients bundle these with their software ( cisco 
can push firewall rules to their VPN Client ) and some don't. The Shrew 
Soft client falls into the latter category.

-Matthew