Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

The choices between which proxy/VPN/traffic encapsulation strategy to use is a primarily a trade off
between
a) more reliable/dynamic VPN IP protocols and implementations
b) firewall negotiation.
e.g. A TCP tunnel could hang or be lost, and then all traffic from the client is blocked or dropped until
the tunnel is re-established vs. a firewall only allowing TCP port 80 traffic.
Assumption:
Avoiding firewall show stopping issues is more important than tunnel reliability for our
sponsor.
1. Application Layer/User Space Tunnel
Pro: an unencrypted TCP port 80 tunnel shouldn't raise too many flags, and avoid many VPN
FW issues between the FT and the proxy server.
Options: TCP is not the sole tunnel transport option among application layer/user space tunnel
applications, it is merely the best option for getting through a firewall without manual testing or
punching a pinhole.
2. Multi channel / Non TCP based VPN tunnels
Con: VPN kernel support likely limited on some FTs, may require a significant amount of
image space.
IPSEC requires pre-shared key or cert, or radius server auth
PPTP sends regular PPP session with GRE, requires two network sessions
“The system uses TCP (i.e., port 1723) to send the PPTP control channel packets. On the data
channel, PPTP uses a protocol called Generic Routing Encapsulation (GRE—IP protocol
number 47) to securely encapsulate the Point-to-Point Protocol (PPP) packets in an IP packet.”

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh