Re: [PEN-TEST] Your opinions are solicited ...

[krisk <krisk () medshoppeintl com>]

> The sessions will be protected from Net snooping by SSL's 132 bit
> encryption, " as strong as IP tunnelling".

As long as ALL traffic is encrypted with at least 128 bit, which it appears
it is... how is another VPN solution going to be better?

> I have recommended using VPN, now readily available in Win2000,
> but have been rejected.  "A support nightmare." was the reason given.
> What do you think of the security schema planned?
> What schema would you use?
> What do you think of the reason given for not using VPN?

By VPN here, it seems you are talking about a hardware (Router) based VPN
solution? or perhaps Win2K IPSEC? I personally prefer an end-to-end solution
provided with the SSL and certificate. Citrix MetaFrame and NFuse also offer
an end-to-end VPN type solution similar to this. A router or hardware based
VPN would still permit sniffing of traffic on the inside of the VPN device.
Maybe a stretch, but maybe not so much considering the number of people now
on home networks with multiple computers, including separate ones for their
kids. Hey, let's just hack junior's computer and sniff the traffic from
there! Not to mention, as they say a hardware requirement VPN would be a
support nightmare, maybe even a Win2K IPSEC is still a little out of reach
for the general masses. Unless you have a MUCH better encryption algorithm
to use than the one provided with the SSL and Certificate, I'd say you are
pretty much accomplishing the same thing, encryption, authentication, and
non-repudiation so what more is your "other" VPN going to provide, or
provide better? Are you using your own certificate server, or are you going
to be at the mercy of a "generic" certificate authority and put all your
data at risk with them? Are their hiring practices and "best security
practices" as strict as yours? Can you test and verify them regularly? If
using your own certificate server, have you taken the "root" server offline?
Are the issuing servers protected adequately with network and host based
IDS? That's the areas where I would be concerned. While it may be possible
for someone to still grab the certificate from the client computer which I'm
guessing is what you are concerned about.. I haven't been able to do that
yet.. One of the worst things to prevent against would be against a trojaned
client.. maybe with something like BO or other remote access capabilities.
Are your applications protected against the client saving their passwords in
the IE cache where they can be easily stolen and used? I know a MetaFrame
client app can be prevented from saving their passwords locally.. Well, just
a couple more thoughts for you to ponder...
Enjoy!

Kris Kistler
MCSE, MCP+I, GSEC, CCNA, CNA, CCA, A+
WAN Communications / Security Administrator
St. Louis, MO