Restricted Remote VPN Access and Usage of Overlay Networks

2019/05/31 by CSO

Due to the continued incidents and growing security risks from the service, access to CERN using VPN (Virtual Private Network) is prohibited.

In particular, software acting as exit nodes of overlay networks (for example Tor exit nodes, Hola 'Unblocker' / Hola 'Better Internet' / Hola 'VPN') is specifically prohibited within CERN as they provide unfiltered direct access into CERN's internal office network (the so-called "GPN").

Similar functionality to the VPN service is provided by application gateways, such as WTS (Windows Terminal Services) and the central Linux service on LXPLUS. The recommended methods for connecting to CERN from the Internet are documented here.

However, access from CERN to e.g. remote institutes is still possible.

Motivation

The risk of worms entering the CERN site from VPN connections is high as they bypass the firewall protections in place for standard Internet connections. The serious impact of such incidents was already experienced in August 2003 when early versions of the Blaster worm rapidly entered the site via VPN connections. Although protections were added to contain those specific cases, the rise in zero day exploits and home computers as a key target for attackers is a dangerous combination, increasing the risk of a similar such incidents occurring in future. In addition to the increasing risks, the ability to make a rapid follow up for VPN incidents is limited and does not scale.

Known Issues

  • In some cases the alternative working methods are less convenient and/or provide reduced performance compared to VPN. Windows DFS File synchronization is not possible from off-site without VPN. File transfer (including mapping a local disk to a WTS session) is possible.
  • Remote installation of software was possible with VPN. This practice is not recommended therefore no alternative will be provided. Users must instead bring their computers physically to CERN.

If a case were to arise where VPN is vital for the mission of the organization and no alternative solution is available within the timescale, a temporary extension could possibly be maintained for the user concerned. This would require that the case is justified and supported by the users Department Head (or Deputy). The configuration of the device and working method of the user connecting to VPN would need to be agreed by a member of the security team in order to minimise the risk.

Access from CERN to the Outside

The CERN firewall supports GRE based PPTP VPN connections from CERN to remote institutes. This includes connections from fixed IP addresses as well as from dynamically allocated (DHCP) addresses (e.g. wireless and portable sockets).

VPN client software using IPSEC based connections are not fully supported by the firewall and are only permitted from sockets with dynamically allocated (DHCP) addresses (e.g. wireless and portable sockets).

Overlay network clients (e.g. Tor) are only permitted if they are not running exit nodes, as they would otherwise expose CERN internal resource

In particular, Hola 'Unblocker' / Hola 'Better Internet' / Hola 'VPN' are explicitely prohibited: Hola operates a peer-to-peer VPN service, allowing other people to access the Internet through your Internet connection. The Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application have been found to contain multiple vulnerabilities which allow a remote or local attacker to gain code execution and potentially escalate privileges on a user's system. Additional design flaws allow a Hola user to be tracked across the internet via a persistent ID. Furthermore, as Hola users - wittingly, or otherwise - act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial 'bandwidth' service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks.