@@ -65,6 +65,28 @@ Implement in a memory-safe language
*****
**[TR-RES-1]** VPN client must restore security-relevant configuration after VPN connection ends
Threat: VPN client does not restore network or other security configuration
Mitigation(s):
FIXME something about the VPN client not making the system less secure?
FIXME don't want this to be *any* configuration, want this to be network configuration? not sure
FIXME what if the VPN client is totally killed? Must allow for cleanup to run somehow
**[MI-RES-1]** VPN client restores any configuration it changes to its previous state after the VPN connection ends
Test 1: For each kind of configuration change the VPN does, record the state of it prior to the VPN connection starting and compare it to the state after the VPN connection ends
Result: The configuration is functionally the same
Documentation: All system configuration that the VPN changes when it starts the connection, source, documentation, description of tests
Test 2: Same as test 1, but for when the VPN tunnel drops due to an error
Areas for Technical requirements to be written:
**TODO: specific known attack vectors to apply to appropriate requirements**
- Credential harvesting
@@ -85,12 +107,6 @@ Implement in a memory-safe language
- ??? how to make this connect to use case/security profiled/overall risk? Overall risk score?
- If you see a bunch of data being exfiltrated through a laptop, it's suspicious - this can be provided by a SIEM, firewall, etc.
- connecting to masquerading server
- TR: secrets or certificates or fingerprints pre-shared or transmitted by alternate secure channel
Test: Set up an unauthorized server, send it the traffic from the clients, capture the traffic from the clients and see if they sent anything they shouldn't have, check if the clients refused to connect
- TR: client authentication cannot send any confidential information to the server before the client has authenticated the server
Test: Same as above, with all authentication methods
- weak encryption
- TR: use strong encryption (ref existing standards)
@@ -131,6 +147,9 @@ Implement in a memory-safe language
- TR: split into smaller pieces with lower privileges on some
- TR: fuzz testing of input data?
- note: secure design/devel outside scope of this part unless testable on product
David from Crab Nebula is doing:
- DNS Leaks to local network
- misconfiguration
- bugs in software
@@ -141,16 +160,26 @@ Implement in a memory-safe language
- TR: client check DNS configuration and warn or disable?
- TR: device posture thing or integrates with other tools that check configuration
- TR: integrate with things that monitor traffic
Joseph Rotolo is doing:
- Allowing untrusted traffic
- allowing external traffic to route into VPN client or server
- failure to exclude by application or port or endpoint
- TR: policy engine allowing configure of packet filter or firewall (may be external product)
- TR: validating data you are sending
- TR: authentication of clients (already covered)
- Traffic validity failure
- FIXME: see above we think? correct if not duplicate
- authentication failure
- FIXME: covered above?
- connecting to masquerading server
- TR: secrets or certificates or fingerprints pre-shared or transmitted by alternate secure channel
Test: Set up an unauthorized server, send it the traffic from the clients, capture the traffic from the clients and see if they sent anything they shouldn't have, check if the clients refused to connect
- TR: client authentication cannot send any confidential information to the server before the client has authenticated the server
Test: Same as above, with all authentication methods
- Traffic validity failure
- FIXME: see above we think? correct if not duplicate
- observation or disclosure of the user's online activity by an unauthorized and/or malicious party, including delayed disclosure
- traffic analysis
- leaks in general (DNS, logs on end-user device or servers, initial connection, error-related packets, partial information disclosure in packets)
@@ -170,6 +199,12 @@ Implement in a memory-safe language
- installer vulnerabilities e.g. put wrong library in path
- TR: validate things needed by the installer with a hash or similar
Jan from BSI is doing:
- Firewalls, routing, DNS configuration not correctly
- TR: restore
## 5.3 [KEV] Known exploitable vulnerabilities
#### Threat: Unencrypted traffic exposes private information
