At 08:46 PM 11/08/2001 -0500, Mark Medici wrote: > >From what I've found so far, it seems that the AOL client program, when >installed, also installs something called the AOL Network Adapter. I've >seen this on some client machines, and always wondered what it was >doing. Now I realize that it is used to establish a sort of VPN between >the client and AOL's host networks.
Actually, version 6.0 and 7.0 install *3* network adapters: a dial-up adapter, a VPN adapter for the dial-up, and an AOL WAN adapter. The software re-installs all of these each time you run it, and uses whichever adapter are needed to create a L2TP tunnel when it tries to connect. > a.) Is there anyway to use AOL without opening a tunnel for unknown > and unmonitored external traffic? I.e., are all the features of > AOL (e-mail, AOL-only content, etc...) available using only a > web browser? Not sure what you mean 'unknown and unmonitored' external traffic, but here's what happens: When you connect to AOL, it first opens either the dial-up adapter, or the AOL WAN adapter, and connects to a remote machine (by phone number or IP). Either way, the adapter that's in use is assigned an AOL IP address. If you connected via the Internet, this means you now have two local IP's. Next, AOL creates a VPN tunnel between your local AOL IP address and a remote AOL IP address, using the VPN adapter it installs. It lastly installs routing table entries to direct all traffic on the AOL network (which includes multiple disparate subnets) out through the AOL adapter. Initially this includes only those machines needed to log in and get AOL content, but I have also observed it adding routes to *other AOL clients* to force them to pass through the AOL network. (Though it defys all logic, I've actually seen this make connections SLOWER than if they went out via my ISP, then into the AOL network to the client. Go figure.) That's the long answer. The short answer is, no. You must use an AOL client, and all recent AOL clients (5.0 onward) use this VPN structure to access their content. SOME of their content (e-mail, and some intentionally web-based content, and IM's) are available other ways, but much of the AOL-specific content is not. > b.) Am I correct in believing that only the AOL client poses a risk, > or does the AIM instant messenger client also pose a risk? I This would be correct. AIM doesn't do anything like what the AOL client does. It simply makes TCP connections to an AIM server, which I presume has it's own internal connection into the AOL network. > c.) The CERT/CC report says it has documented incidents of CodeRed > and Nimda propagating through AOL's VPN tunnel. I assume that > this happened via http, but what other ports are open between > users (or are they ALL open!)? AOL doesn't explicitly open any ports just by running and creating the VPN. The CERT issue is more likely the fact that any AOL client on the network can be considered "local" by personal firewalls like ZoneAlarm, etc. The AOL VPN gives people on completely disparate ISP's 'local' access to each other's systems. >I'm not entirely assured by the fact that Tyler couldn't access shares >across the AOL-VPN. I expect that AOL unbinds file and printer sharing >from the AOL Network Adapter, and hopefully blocks them with a firewall I have a few dozen copies of AOL 6/7 lying around on my machine at home, and I don't remember having to explicitly do this, so I beleive you are correct. However, I'm curious as to whether Tyler was trying AOL <-> AOL file sharing, since the only traffic that would go out the AOL adapters would be for AOL network addresses. --K
