Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
The choices between which proxy/VPN/traffic encapsulation strategy to use is a primarily a trade off
between
a) more reliable/dynamic VPN IP protocols and implementations
b) firewall negotiation.
e.g. A TCP tunnel could hang or be lost, and then all traffic from the client is blocked or dropped until
the tunnel is re-established vs. a firewall only allowing TCP port 80 traffic.
Assumption:
Avoiding firewall show stopping issues is more important than tunnel reliability for our
sponsor.
1. Application Layer/User Space Tunnel
Pro: an unencrypted TCP port 80 tunnel shouldn't raise too many flags, and avoid many VPN
FW issues between the FT and the proxy server.
Options: TCP is not the sole tunnel transport option among application layer/user space tunnel
applications, it is merely the best option for getting through a firewall without manual testing or
punching a pinhole.
2. Multi channel / Non TCP based VPN tunnels
Con: VPN kernel support likely limited on some FTs, may require a significant amount of
image space.
IPSEC – requires pre-shared key or cert, or radius server auth
PPTP – sends regular PPP session with GRE, requires two network sessions
“The system uses TCP (i.e., port 1723) to send the PPTP control channel packets. On the data
channel, PPTP uses a protocol called Generic Routing Encapsulation (GRE—IP protocol
number 47) to securely encapsulate the Point-to-Point Protocol (PPP) packets in an IP packet.”