Why you should block AOL Client on a corporate network

Created: 2002-11-23 Lawrence Baldwin
Modified: 2002-11-23

This article examines the architecture of AOL's client (NOT Instant Messenger) when used in TCP/IP mode from within a firewall (or NAT router) protected network.

In the above diagram, a small network is protected by a firewall or NAT (Network Address Translation) router. All Internal PCs are assigned private IP addresses (e.g. 192.168.1.100) and access the Internet via a single shared public IP address (e.g. 205.152.1.1).

This setup provides significant protection against many Internet threats as all unsolicited traffic which is targeted at the shared public IP is blocked by the firewall/NAT. For example, an attacker attempts to connect to a Windows file share or the Sub-Seven trojan by sending connection attempts to 205.152.1.1...all such attempts will be blocked and discarded.

All is good...until....

Sally Secretary finds it essential to check her AOL e-mail from work so she installs the AOL access client on her PC (192.168.1.100) and configures it in TCP/IP mode so she can have the added bonus of using the companies ultra-fast connection to access AOL.

Sally has no appreciation for the significance of her actions as she enters her username and password on the AOL login screen and clicks "OK".

Behind the scenes, the AOL client creates a VPN-like (Virtual Private Network) tunnel to one of AOLs gateways. This tunnel consists of a client-initiated TCP connection to port 5190 on the AOL gateway. The AOL "adapter" (a special virtual network interface) is now assigned a second IP address from AOLs network ranges...and here is the critical issue...it's a public IP address (e.g. 172.155.112.173) which is directly accessible by ALL Internet users.

Now let's see how our corporate firewall protects Sally's PC when her new AOL IP address is attacked:

• Attacker sends probe to 172.155.112.173 from their PC
• Probe is routed through Internet until it reaches AOLs "VPN" Gateway (berp-ch06.dial.aol.com in this case)
• AOL *encapsulates* the probe inside it's VPN tunnel and sends probe to user on TCP/5190 connection
• Firewall receives encapsulated probe, forwards packet to Sally's PC because it only cares that this packet is associated with a valid, client-initiated connection (on TCP/5190).
• The AOL VPN client receives the packet, strips off VPN headers and delivers the probe to the operating system
• If Sally's PC is vulnerable to the attack, it will then send response packets to the attacker, thus establishing two-way communication with the attacker, despite being protected by a firewall!
• An interesting side-note, is that the response traffic is routed as non-AOL traffic would be (e.g. it does NOT return through the AOL VPN)...the reason is the attacker is most likely NOT an AOL IP address so traffic will routed as normal non-AOL traffic..e.g. go directly back through the corporate firewall

Lessons Learned:

• Unless there is a strong-business need for AOL access from a corporate network, it should be blocked by disallowing any outbound connections to tcp port 5190.
• If AOL support is essential (e.g. file exchange with customers, etc..), all PCs using the AOL client should be protected with an end-point personal firewall (e.g. like Zone Alarm, etc..).