Penetration Testing mailing list archives

Re: [PEN-TEST] Your opinions ... more info

From: Jim Miller <MillerJ () FABSSB COM>
Date: Tue, 31 Oct 2000 14:08:24 -0600

One of us is confused here.  IMO, a VPN is not related to
authentication.


Please refer to the document I provided the link to:
http://www.microsoft.com/NTServer/commserv/deployment/planguides/VPNSecurity.asp
page 6 where it states,"MS-CHAPS is an authentication machanism" and "recent developments with MS VPN technology 
include MS-CHAPS".  No confusion here.  Maybe at Microsoft.

Having the application and the process used to protect access to it
(the CA) on the same machine is possibly the most foolish thing I
can think of in this situation.  I would have them on seperate
machines with a firewall between them, but I'm paranoid.


Good point.  I wanted to tell my client that it was a mistake, but was worn out by speculation about the previous 
exposures that had been enumerated to me, and didn't want to have to argue another.

Am I the only one who thinks certificate use without the presence
of a trusted third party in such an application as this is a bad
solution?


Why should I pay a 3rd party to issue certificates when I can do it myself?  I need to trust my client; the client does 
not need to trust me.  I just need to know that it is really the customer who wants to move money.

Personally, I don't like PPTP as a VPN solution.  Its yucky.  But in
any event, the protection of the data in transit is quite different
than the means to authenticate access.  So the real question here is
"Do I use CHAP/MS/Certificate authentication or do I use just
certificate based authentication.  The only addition that PPTP provides
is that tunnel, and for tunneling I say you can't beat IPSec.


Refer to the same MS document above, on page 11, in a chapter called "Tunneling with L2TP",  where it states that 
"IPSec enables server to server tunneling ... rather than being used for client-server tunneling." .  Doesn't look like 
the white paper was written by marketing people, so I'll take their word for it.

I also agree, open is open.


Thank you.  If there is anything I hate worse than being smoked, it's someone who should know better trying to smoke 
me, and thinking they got away with it.

And in my best Racehorse Haines imitation, "I don't get billable hours!".

Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas   77805-8100
979/361-6515
801/835-5546
millerj () fabssb com

Current thread:

[PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info L.W. (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... more info St. Clair, James (Nov 01)
  - Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
  - Re: [PEN-TEST] Your opinions ... more info krisk (Nov 02)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
  - Re: [PEN-TEST] Your opinions ... more info Matthew Micene (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info David Vandervort (Nov 01)