ADP payroll

[Roger Marquis <marquis () roble com>]

I'm looking for people with experience using a particular ADP
payroll software package.  This software runs under MS Windows and
connects to ADP's servers over the Internet.  ADP support has been
unable to provide the information necessary to do a risk analysis.
These are the only details I've been able to gather after almost
two weeks and over a dozen calls:

1) ADP asks clients to open their firewall ports 80, 443, 6847,
   6848, 6849, and 5282, bi-directionally.

   The client computer, normally a Windows PC, becomes a server when
   ADP's payroll software is installed and will accept connections from
   any IP addresses.

2) ADP does not normally provide a remote server IP address.
   Clients who insist are given a remote address for their firewall
   ACL but apparently most people don't ask and open their networks
   to connections from anywhere, internal or on the Internet.

   The Internet source address ADP finally provided is within their
   class B subnet (ARIN:ADP-ESNET).

3) ADP does not normally disclose the transport layer protocol.
   Clients who insist are told that TCP is the only protocol that
   needs to be enabled for bidirectional communication across their
   firewall.

4) ADP does not disclose what authentication, if any, is performed by
   the client PC or remote host connecting to it.

5) ADP claims that 128 bit encryption is used but does not disclose the
   cryptographic algorithm or whether encryption is used on all 6 TCP
   ports.

6) ADP does not disclose what these 6 TCP ports are used for other than
   downloading data from and uploading software to the client PC.
   Upload and download operations can be initiated at either the client
   or server.

   ADP does not disclose what software is downloaded to the client PC
   or whether clients must interactively authorize software or data
   transfers.

   ADP requests that these ports are left open 24 hours a day 7 days a
   week.

   ADP would provide no white paper, acceptable use policy, or any
   other technical or security information on this software other
   than:

      A) the tcp ports which must be opened at the firewall,
      B) a remote server IP address,
      C) that it uses 128 bit encryption,
      D) that it both uploads and downloads software and data, and
      E) that connections can be initiated by either client or server.

7) ADP's PC support group, which answers technical questions, does not
   accept phone calls directly and is not able to initiate calls or
   send or receive email from clients.  They can only be contacted by
   phone calls initiated by the ADP client representative.

   These client representatives also do not accept phone calls.
   Clients must leave voicemail and be at their phone when the
   representative calls back.

   After the caller has been authorized, left voicemail(s), and
   been at their phone when the representative calls back, ADP's
   PC support group can be conferenced-in to answer technical
   questions.

Each of these requirements is unusual for an Internet-based
client-server software package.  When considered together they
raise a very large red warning flag.  Security by obscurity is not
normally taken to such extremes, especially by an Internet Financial
Service Provider.  No Corporate Security Officer or Network Security
Consultant would normally allow an outside company to setup a server
inside their client's network without complete disclosure and
guarantees regarding what that internal server will be used for.
Clients have no way of assuring that ADP's software will not be a
source of viruses, trojans, or abused as a base for economic
espionage or other local network probes.

Any additional information regarding this Windows software would
be greatly appreciated.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards