Re: [PEN-TEST] Your opinions ... more info

[Matthew Micene <matt () EXPRESSSEARCH COM>]

On Tuesday 31 October 2000 15:08, you wrote:
> > > One of us is confused here.  IMO, a VPN is not related to
> > > authentication.
>
> Please refer to the document I provided the link to:
> http://www.microsoft.com/NTServer/commserv/deployment/planguides/VPNSecu
> rity.asp page 6 where it states,"MS-CHAPS is an authentication machanism"
> and "recent developments with MS VPN technology include MS-CHAPS".  No
> confusion here.  Maybe at Microsoft.

Having attempted to read the above document and failed (I get nothing
other than the Overview) I am going to weigh in on a few points that I
think are salient, and amount more to questions than answers perhaps.  I
fear this may land off target from the thread however.

First of all, both of the above statements are true.  Neither of them
relates to the other however.  The inclusion of CHAPS into the MS VPN
product has to do with the VPN authentication, as an alternative to PKI or
other authentication means.  What Drew meant, I think, was client
authentication.  VPN are designed to create a secure, encrypted pipe
between two servers.  It has nothing (that I know of) to ensure that an
underlying application or particular user is authenticated.  There is the
implicit assumption that only authorized users have access to the VPN, but
I wouldn't bet the farm on that one.

Based on what has passed so far I have to ask what the aim of the project
is.  If you are talking about a server to server application for the
transference between banking institutions, then a VPN with its extra
hardware and software is not all that difficult to establish, and has the
advantage (danger?) of known entities on either side of a secure pipe for
the start of a transaction.

If, however, you are talking about a consumer level product, creating a
system based around a W2k VPN system is, well, suicide.  Client side
support for a home user attempting to set up a VPN and keep it running
would not be within the scope of most help desks at a bank, and the
assumption that most home users will be using W2k is forwardlooking at
best.

In my opinion, and many opinions on precisely how to manage the
certificate system have been levied, it is possible to create a reasonably
secure cash management application which utilizes certificates.  Reliance
on certificates alone is problematic, even properly managed.  However, the
use of a VPN vs. certificate system seems to beg the question of scope and
business model as much as security implications.

Hmm, rambled a bit more than I meant, just my 2 cents