Sunday, January 21, 2007
New MS VPN Protocol - or new backdoor covert channel?
I've just read in Network World that MS is developing a new VPN protocol that works over HTTP, to avoid the known problems of making tunnels work through networks with NAT, firewalls and Proxies in place. I don't question the need for this when talking about the tunnel functionality. The SSL VPNs grew so much exactly to address these questions. In fact, the article in NW mentions that it will be a SSL VPN. However, I can already see problems with malware using it as covert channel to communicate with its master. Being a encrypted protocol, chances of detection by network monitoring will be very low.But why be worried about it if we already have this feature in other products? Because putting it in the OS will make it easier to use by malware authors. I'm a very bad programmer, but the very little that I know is enough to use the very simple API from Windows features in easy programming languages like VB.Not that I'm saying it's a bad thing to do. It's common to create features than can be used for good and evil. As security professionals, however, we need to think about how we will deal with the bad part. Disabling the ability to use the protocol by GPO settings could be a option.