Using Corelight To Monitor and Identify Exploited VPNs

By Richard Bejtlich, Principal Security Strategist, Corelight

Network and security infrastructure, such as routers, switches, firewalls, virtual private network concentrators, and other equipment, are designed to provide a stable and secure communications experience for client and server computers and their users. Many of us take these devices for granted, expecting that once properly configured they simply do their jobs with a minimum of fuss or attention required. Network and security teams are then free to concentrate on the systems which they expect will bear the brunt of reliability and compromise scenarios: client and server computers. What happens when intruders shatter those assumptions, however, by attacking the very infrastructure we use to run our networked enterprise?

Within the last few months, vendors and researchers have published numerous advisories on vulnerabilities in network and security infrastructure. In late September, Cisco published fixes for 13 high-severity vulnerabilities in its routers and switches. In July, prior to the Black Hat conference, researchers from Devcore released details on vulnerabilities in corporate VPN software sold by Palo Alto Networks, Pulse Secure and Fortinet. The point is not to assign blame to these vendors, as no software product is, nor can be, perfect. Rather, they demonstrate that network and security devices operate with vulnerabilities that can be exploited by motivated and capable intruders.

The Consequences

What happens when an intruder exploits a network or security device? These systems are not typically storing intellectual property or other information that intruders would access if they had instead gained a foothold on a client or server system. Rather, access to a network or security device provides a vantage point for intruders, from which they can choose to spy upon, change, or deny access to information transiting the network. This is a popular activity for intruders, as their actions can be completely invisible to the endpoints in a conversation.

Intruders can take other actions which directly affect the services offered by the networking and security equipment. When intruders exploit a device like a VPN concentrator, they will sometimes provision themselves a legitimate account. Now, rather than interacting with the compromised organization via an illicit command and control channel, the intruders will use a legitimate-looking VPN account. These are exceptionally difficult for the security team to identify as being malicious, as they appear as any other VPN user would. Furthermore, when interacting with security-oriented devices that provide access control lists, intruders can modify their settings to permit what was previously unauthorized access methods. 

VPN Protect Thyself?

One might expect that a network or security device protecting itself would be the best countermeasure to these attack vectors. It is true that administrators should limit the surface exposure of the devices, and configure them to monitor access to interactive channels. Administrators should configure the most useful logging possible and export those logs to trusted repositories. Should this not be enough?

Unfortunately, when directly attacked using vulnerabilities mentioned previously, network and security devices act as client or server computing devices. They suffer many of the limitations seen when security teams seek to defend laptops or data center platforms. Many exploits leave little or no trace in security logs. Once active on the compromised device, the system may not detect intruder follow-on actions, command-and-control channels or other activities. In general, due to their “trusted” nature, network and security devices are subject to less scrutiny than their client and server counterparts. Unfortunately, they are often not “trustworthy” enough to merit that status, as intruders treat them as yet another target to exploit.

The Corelight Perspective

What defenders need in this situation is a third party platform that passively observes traffic to and from network and security devices, silently tracking activity without notifying an intruder of its presence. This silent sentry would generate network security monitoring data in the form of compact but rich transaction logs. This network evidence would keep track of activity to and from the network and security devices, rather than simply watching traffic to and from client and server infrastructure. This is an important distinction: when an intruder exploits a network or security device, he is typically targeting the management or public network interfaces or the infrastructure itself. 

As you might expect, Corelight’s sensor appliances (in hardware or software form) are perfectly suited for this duty. NSM data generated by Corelight can audit and record activity such as that generated by Secure Shell or protected by Transport Layer Security (TLS), as seen in HTTPS traffic. If intruders use nonstandard services, Corelight will create connection logs, and should traffic require domain name services, Corelight will generate DNS records.

Conclusion

Where should one deploy Corelight to monitor network and security devices? Clearly it would be difficult to instrument every switch, router, and firewall? The answer depends on the criticality of the device in question. VPN concentrators are prime candidates for dedicated attention by a Corelight sensor. Should an intruder exploit a VPN concentrator, a series of exceptionally dire consequences follow. Defenders should begin their infrastructure visibility architecture program with the most critical devices, and expand as resources permit. 

Visibility architects should start by asking themselves these questions: 

  • How would I know if this device were compromised?
  • What data do I need to make this decision?
  • What data do I need to determine what the intruder did, in total?

A passive monitoring appliance like Corelight can help network and security teams regain confidence in their infrastructure by providing the data to answer these questions.

Leave a comment

Your email address will not be published. Required fields are marked *