Professional Documents
Culture Documents
Split Tunneling
Cross-Site Request Forgery
And You
Mary Henthorn
OIT Senior Technology Analyst
February 8, 2007
The Vulnerability
An Attack
Split Tunneling
Cross-Site Request Forgery
The Defense
You!
What?
When?
Why
Split Tunnel
Internet
Network application
Local devices
Local network
Performance
Bandwidth conservation
Multi-tasking habits
Access to local network
Access to printers
Internet Connection Sharing (ICS)
VPN as a Band-Aid
An Attack
VPN as a Band-Aid
Doesnt completely isolate sessions
Fast - Resilient
CSRF
XSRF
Injection, code injection
Session riding
Hostile linking
CSRF pronounced sea surf
One click attack
Confused deputy attack
CSRF
CSRF Attack
<img
src="https://www.books.com/clickbuy?
book=BookID&quantity=100">
Educate users
Apply security patches and updates
Use anti-virus protection
Use firewalls
Keep browser security high
Develop safe applications
Alternate access to services
Cisco
Nortel
Citrix
UC Davis
Thomas Shinder ISA Server
Thomas Berger Univ. of Salzburg
Defense-in-Breadth
Defense-in-Depth as implemented
On or off
Expect 100%
Even 90% can be costly
Synergistic Security
Educate users
Client security
Firewalls
Risk vs. Cost
Multiple solutions
Vulnerabilities = Attacks