Re: RE: Securing eRIC express

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-01-03 barcajax () gmail com wrote:
> Connecting that server directly to the Internet is a big NO NO. 

Why? If the server doesn't provide any services that don't need to be
publicly available I don't see what's wrong with directly connecting it.

> Btw is this the card you are referring to?
> http://www.techland.co.uk/index/eric
> According to this link, you can set up an encrypted channel using
> "HTTPS protocol or socket security layer SSL2.3".

More likely it's this one:

http://www.raritan.info/products/embedded_products/eric_express/prd_cms_index.aspx?currpg=prd_cms_index&name=eRIC%20express&content_category=1&overview_flag=Y&features_flag=Y&spec_flag=Y&support_flag=Y&status=4

> I suggest setting up VPN tunnel to this site followed by HTTPS on top
> of that. Limit the number of login attempts to this box as well.

If I understand the OP correctly then setting up a VPN is something he
cannot do, because the server is hosted in a datacenter which he has no
control over. Besides, HTTPS (maybe with client certificates) should
suffice, unless his security requirements are unusually high for a
scenario that simple.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------