Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions are solicited ...
From: krisk <krisk () medshoppeintl com>
Date: Tue, 31 Oct 2000 07:14:00 -0600
The sessions will be protected from Net snooping by SSL's 132 bit encryption, " as strong as IP tunnelling".
As long as ALL traffic is encrypted with at least 128 bit, which it appears it is... how is another VPN solution going to be better?
I have recommended using VPN, now readily available in Win2000, but have been rejected. "A support nightmare." was the reason given. What do you think of the security schema planned? What schema would you use? What do you think of the reason given for not using VPN?
By VPN here, it seems you are talking about a hardware (Router) based VPN solution? or perhaps Win2K IPSEC? I personally prefer an end-to-end solution provided with the SSL and certificate. Citrix MetaFrame and NFuse also offer an end-to-end VPN type solution similar to this. A router or hardware based VPN would still permit sniffing of traffic on the inside of the VPN device. Maybe a stretch, but maybe not so much considering the number of people now on home networks with multiple computers, including separate ones for their kids. Hey, let's just hack junior's computer and sniff the traffic from there! Not to mention, as they say a hardware requirement VPN would be a support nightmare, maybe even a Win2K IPSEC is still a little out of reach for the general masses. Unless you have a MUCH better encryption algorithm to use than the one provided with the SSL and Certificate, I'd say you are pretty much accomplishing the same thing, encryption, authentication, and non-repudiation so what more is your "other" VPN going to provide, or provide better? Are you using your own certificate server, or are you going to be at the mercy of a "generic" certificate authority and put all your data at risk with them? Are their hiring practices and "best security practices" as strict as yours? Can you test and verify them regularly? If using your own certificate server, have you taken the "root" server offline? Are the issuing servers protected adequately with network and host based IDS? That's the areas where I would be concerned. While it may be possible for someone to still grab the certificate from the client computer which I'm guessing is what you are concerned about.. I haven't been able to do that yet.. One of the worst things to prevent against would be against a trojaned client.. maybe with something like BO or other remote access capabilities. Are your applications protected against the client saving their passwords in the IE cache where they can be easily stolen and used? I know a MetaFrame client app can be prevented from saving their passwords locally.. Well, just a couple more thoughts for you to ponder... Enjoy! Kris Kistler MCSE, MCP+I, GSEC, CCNA, CNA, CCA, A+ WAN Communications / Security Administrator St. Louis, MO
Current thread:
- [PEN-TEST] Your opinions are solicited ... Jim Miller (Oct 31)
- Re: [PEN-TEST] Your opinions are solicited ... Thomas Reinke (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... krisk (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions are solicited ... St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Frank Knobbe (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Deus, Attonbitus (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Shawn Davenport (Nov 01)
- [PEN-TEST] "Get out of Jail Free" Gary Warner (Nov 01)