Educause Security Discussion mailing list archives
Re: iPad and access to university ERP
From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Wed, 21 Jul 2010 19:37:56 -0400
Dave Koontz wrote:
But, if they "force" VPN connections to access the RDP desktop session to begin with, you have the VPN security in front of the weaker MS RDP encryption. Seems safe enough to me.
The original post only says that VPN use is forced from off-campus. If this person is using RDP over the local wireless on-campus, then the 40-bit crypto could be all that's protecting the session if the wireless network doesn't require 802.1x. --Matt
On 7/21/2010 7:22 PM, Ullman, Catherine wrote:The 40-bit reference appears to be to the software itself, which is an add-on app that can be downloaded and installed from a third party. Note the line that says "40-bit encryption" is a limitation: http://www.mochasoft.dk/iphone_rdp_help/help.htm So yes, I'd say there is a distinct concern. -Cathy Catherine J. Ullman Information Security Analyst Information Security Office University at Buffalo cende () buffalo edu ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian [bbasgen () PIMA EDU] Sent: Wednesday, July 21, 2010 7:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPad and access to university ERP Apple has an overview of security on the iPad here: http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf This is an interesting read: I didn't know, for example, that the iPad appears to have quasi FDE functionality: "256-bit AES encoding hardware-based encryption to protect all data on the device. Encryption is always enabled and cannot be disabled by users." The lowest algorithm I can see in the document is 3DES, which is typically implemented at either 112 or 168 bit strength. I don't see anything about 40-bit, but to the previous poster, that would be a concern since 40-bit is well within the realm of brute force. By the looks of the Apple publication, however, the iPad appears to have some pretty good security controls. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Office Pima Community College Office: 520-206-4873 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Wednesday, July 21, 2010 3:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPad and access to university ERP But...given that the session *is* encrypted - and not persistent - wouldn't *any* kind of encryption be serviceable for something like this? (I'm thinking that is someone *really* wanted the data, they aren't going to try and tunnel through a relatively random wireless connection....?) Just a thought... M From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Schaffer Sent: Wednesday, July 21, 2010 10:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPad and access to university ERP I believe the encryption is only 40 bit. Greg Greg Schaffer, CISSP Assistant Vice President Network and Information Technology Security Middle Tennessee State University 615 898-5753 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Rowe Sent: Wednesday, July 21, 2010 11:19 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] iPad and access to university ERP I just received this email from a department manager: "First thing I did was installed an app called Remote Desktop Lite (free). I used that to remote into my Windows machine on my desk and it worked beautifully. I pulled up Banner and found it to be really easy to work with on the iPad. What I liked the most was I didn't have to tab into the entry fields. I could touch them and the cursor would move. If I only had that on my desktop!" Wonderful.... So I'm thinking what is open on the desktop and what is the security of the transmission. We force VPN use from off-campus. I thought we had the remote desktop thing handled in terms of accessing our ERP. Am I unreasonably concerned? -- Theresa Rowe Chief Information Officer Oakland University **Think Green - Think before you print.** -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- iPad and access to university ERP Theresa Rowe (Jul 21)
- Re: iPad and access to university ERP Greg Schaffer (Jul 21)
- Re: iPad and access to university ERP SCHALIP, MICHAEL (Jul 21)
- Re: iPad and access to university ERP Basgen, Brian (Jul 21)
- Re: iPad and access to university ERP Ullman, Catherine (Jul 21)
- Re: iPad and access to university ERP Dave Koontz (Jul 21)
- Re: iPad and access to university ERP Matthew Gracie (Jul 21)
- Re: iPad and access to university ERP Basgen, Brian (Jul 21)
- Re: iPad and access to university ERP Russell Fulton (Jul 23)
- Re: iPad and access to university ERP James Peluso (Jul 24)
- Re: iPad and access to university ERP SCHALIP, MICHAEL (Jul 21)
- Re: iPad and access to university ERP Greg Schaffer (Jul 21)
- Re: iPad and access to university ERP Brad Judy (Jul 22)
- Re: iPad and access to university ERP Brad Judy (Jul 22)
- Re: iPad and access to university ERP John Hoffoss (Jul 22)
- Re: iPad and access to university ERP Bret Ingerman (Jul 23)
- Re: iPad and access to university ERP Richard Hopkins (Jul 22)
- Re: iPad and access to university ERP Roger Safian (Jul 22)
- Re: iPad and access to university ERP Richard Hopkins (Jul 22)