@@ -91,6 +91,47 @@ Areas for Technical requirements to be written:
### Authentication
Joseph Rotolo is doing:
Threat: Allowing untrusted traffic
- allowing external traffic to route into VPN client or server
- failure to exclude by application or port or endpoint
- TR: policy engine allowing configure of packet filter or firewall (may be external product)
- TR: validating data you are sending
- TR: authentication of clients (already covered)
- authentication failure
Threat: Machine-in-the-middle, connecting to masquerading server
- TR: secrets or certificates or fingerprints pre-shared or transmitted by alternate secure channel
Test: Set up an unauthorized server, send it the traffic from the clients, capture the traffic from the clients and see if they sent anything they shouldn't have, check if the clients refused to connect
- TR: client authentication cannot send any confidential information to the server before the client has authenticated the server
Test: Same as above, with all authentication methods
- Credential harvesting
- phishing
- not our problem
- transmitting credentials in plain text
- TR: don't transmit sensitive stuff in plain text
Requirement: for each method of authenticating and each transport method, authenticate, capture the traffic, search for a string matching the plain-text credentials. and document it all
Threat: attacker gains physical control of device
- TR: auth timeout (periodic re-auth)
- TR: require re-auth after sleep of device
- TR: encrypt stored credentials and use some derived thing with a timeout (password vault kind of stuff)
- TR: provide feature to revoke device
Threat: attacker gains physical control of device and duplicates the storage containing credentials
Note: this is also just an annoying usability problem that happens by accident with images and cloning
- TR: detect identical clients
- TR: store credentials in secure TPM
- TR: don't use reusable credentials
- TR: document what the user has to do to avoid this
- TR: document that this product isn't appropriate for use case or doesn't provide this thin
### Logging
@@ -117,18 +158,8 @@ Threat: attacker deletes local logs to hide activity
### Betrayal by VPN provider
- TR
### Transmitting data in the clear
- Credential harvesting
- phishing
- not our problem
- transmitting credentials in plain text
- TR: don't transmit sensitive stuff in plain text
Requirement: for each method of authenticating and each transport method, authenticate, capture the traffic, search for a string matching the plain-text credentials. and document it all
- compromised devices
- TR: threat detection (traffic analysis)
- require AV, XDR, SIEM, SOAR, etc. or provide it yourself
@@ -146,17 +177,6 @@ Threat: attacker deletes local logs to hide activity
- TR: key rotation
- TR: allow for forced key expiry
- TR: provided feature to revoke keys in service
- physical possession of authorized device
- TR: auth timeout (periodic re-auth)
- TR: require re-auth after sleep of device
- TR: encrypt stored credentials and use some derived thing with a timeout (password vault kind of stuff)
- TR: provided feature to revoke device
- duplication of entire hard disk
- TR: detect identical clients
- TR: don't store credentials in secure TPM
- TR: don't use reusable credentials, use passkey etc.
- TR: document what the user has to do to avoid this
- TR: document that this product isn't appropriate for use case or doesn't provide this thing
- TR: data validation before encryption (todo)
- TR: look at all the traffic generated and see if there is anything in the clear, going to the wrong place etc.
@@ -191,23 +211,6 @@ David from Crab Nebula is doing:
- TR: device posture thing or integrates with other tools that check configuration
- TR: integrate with things that monitor traffic
Joseph Rotolo is doing:
- Allowing untrusted traffic
- allowing external traffic to route into VPN client or server
- failure to exclude by application or port or endpoint
- TR: policy engine allowing configure of packet filter or firewall (may be external product)
- TR: validating data you are sending
- TR: authentication of clients (already covered)
- authentication failure
- FIXME: covered above?
- connecting to masquerading server
- TR: secrets or certificates or fingerprints pre-shared or transmitted by alternate secure channel
Test: Set up an unauthorized server, send it the traffic from the clients, capture the traffic from the clients and see if they sent anything they shouldn't have, check if the clients refused to connect
- TR: client authentication cannot send any confidential information to the server before the client has authenticated the server
Test: Same as above, with all authentication methods
- Traffic validity failure
- FIXME: see above we think? correct if not duplicate
- observation or disclosure of the user's online activity by an unauthorized and/or malicious party, including delayed disclosure
