Secure Tunneling. Only with more Control!!!

Ryan Malayter malayter at
Tue Jul 16 16:40:50 UTC 2013

On Sat, Jul 13, 2013 at 8:36 AM, Nick Khamis <symack at> wrote:
> This just got very interesting. Given that we do not own any Microsoft
> products here, and still able to function like any other corporation,
> I am more interested in a "solution that you have more control over"
> secured connections. We currently are using OpenVPN and PKI, coupled
> with a company policy of key updates every 3 months this will only get
> incrementally more complex as the number of clients increase. Not to
> mention one only needs a 3 minutes....
> Question: What other options do we have to maintain a secure
> connection between client and server that gives us more control over
> traditional OpenVPN+PKI. It would be nice to be able to deploy private
> keys automatically to the different clients however, seems like a
> disaster waiting to happen.
> I would really appreciate some of your takes on this matter, what
> types of technology, policies are being employed out there for secure
> connections.

Your current solutions sounds entirely reasonable... except your clients still
surf the web, don't they? That is the biggest attack vector: browser
and other client program exploits are rampant on *all platforms*.
Witness the multitudes of image library bugs on Linux, which basically
have allowed remote execution via webpage with a crafted image since
the early 1990s. Every browser and OS combo, yes even Firefox on
Linux, gets popped in each year's P0wn2Own contest.

If you can execute code on the client, you can usually find one of the
hundreds of local privilege escalation bugs stil there. Then you can
compromise any private keys and certs on it, as well as any user
credentials stored or entered on the machine. This makes it easy to
pivot into the core of the target's network without being noticed, and
is in fact how many penetration tests and "APT" or "watering hole"
hacks succeed. They attack clients and pivot into the target network.

So the solution would be: don't let your clients ever touch anything
outside your private walled garden. Which is exactly what
high-security installations in the defense and government sectors do:
they are air-gapped from the Internet. Tough to get a lot of work done
that way, and function as a business.


More information about the NANOG mailing list