Let's assume that an ATM bank card is secure. However, I can still
steal money from your account by lurking behind the ATM machine,
and then as soon as you enter your PIN, I rush forward, shove you aside,
and start playing around with your account.
VPNs are secure in the same way. I might be a hacker who has broken into
your machine through the normal (non-VPN) Internet connection. I put a
trojan horse on your machine that lurks until you establish your
secure VPN connection. Remember that even though the VPN makes
it appear that you are only on the corporate network,
the reality is that you are also on the Internet at the same time.
This allows me to bounce attacks through your machine into the
corporate network and steal whatever I want.
In other words, a secure connection is only as secure as the end-point.
VPNs do nothing to secure the end-point, only the connection.
Some ISP's are providing secure VPN services that prevent Internet access
to the client's machine. In this scheme, the client gets a
special dial-up connection that is only routable to the company.
In other words, the ISP itself is securing the end-node by not really
placing it on the Internet (though the Internet is eventually used
for transit). However, this scheme can still fail in many ways.
Many home users want to surf the web, but don't want the employer monitoring
their traffic, so they want their own Internet connection. If they
have two DSL lines (one personal, one corporate) on the same machine, a
Trojan Horse can infect the machine while on the personal connection.
The hacker can then exploit the system even though it is protected
by the corporate firewall (the trojan can receive connections, but can
still initiate them).
Even though this second case is more secure, it is fundamentally no more
secure than the scenario of roving notebook computers, which are likewise
exposed to the wild Internet, then brought within the corporate firewall
where they can wreak havoc.
How a hacker can compromise a VPN client
As discussed above, when the VPN is not active, all normal
techniques can be used to break into the clients' machines.
The most common of which is "File and Print Sharing", which
many home users install in order to share files among their
local machines. It also allows a hacker anywhere on the Internet
to install a Remote Access Trojan in their startup
directory. However, there are numerous other techniques.
How VPN clients block Internet access
When most VPN clients initialize, they appear to block
all Internet access. In other words, it appears to the
user that they can no longer surf the Internet as normal.
This is an illusion. The way that most VPN clients
work is simply to reconfigure the routing table, making
the "default route" going through the corporation. Commands
used to control the Trojan will still get through to the machines,
only the responses will get routed back through the corporation.
In particular, the hacker can use several techniques to
reconfigure the routing table back again, allowing normal
access to the machine.
