Firewall Wizards mailing list archives
ADP payroll
From: Roger Marquis <marquis () roble com>
Date: Thu, 9 May 2002 17:44:21 -0700 (PDT)
I'm looking for people with experience using a particular ADP payroll software package. This software runs under MS Windows and connects to ADP's servers over the Internet. ADP support has been unable to provide the information necessary to do a risk analysis. These are the only details I've been able to gather after almost two weeks and over a dozen calls: 1) ADP asks clients to open their firewall ports 80, 443, 6847, 6848, 6849, and 5282, bi-directionally. The client computer, normally a Windows PC, becomes a server when ADP's payroll software is installed and will accept connections from any IP addresses. 2) ADP does not normally provide a remote server IP address. Clients who insist are given a remote address for their firewall ACL but apparently most people don't ask and open their networks to connections from anywhere, internal or on the Internet. The Internet source address ADP finally provided is within their class B subnet (ARIN:ADP-ESNET). 3) ADP does not normally disclose the transport layer protocol. Clients who insist are told that TCP is the only protocol that needs to be enabled for bidirectional communication across their firewall. 4) ADP does not disclose what authentication, if any, is performed by the client PC or remote host connecting to it. 5) ADP claims that 128 bit encryption is used but does not disclose the cryptographic algorithm or whether encryption is used on all 6 TCP ports. 6) ADP does not disclose what these 6 TCP ports are used for other than downloading data from and uploading software to the client PC. Upload and download operations can be initiated at either the client or server. ADP does not disclose what software is downloaded to the client PC or whether clients must interactively authorize software or data transfers. ADP requests that these ports are left open 24 hours a day 7 days a week. ADP would provide no white paper, acceptable use policy, or any other technical or security information on this software other than: A) the tcp ports which must be opened at the firewall, B) a remote server IP address, C) that it uses 128 bit encryption, D) that it both uploads and downloads software and data, and E) that connections can be initiated by either client or server. 7) ADP's PC support group, which answers technical questions, does not accept phone calls directly and is not able to initiate calls or send or receive email from clients. They can only be contacted by phone calls initiated by the ADP client representative. These client representatives also do not accept phone calls. Clients must leave voicemail and be at their phone when the representative calls back. After the caller has been authorized, left voicemail(s), and been at their phone when the representative calls back, ADP's PC support group can be conferenced-in to answer technical questions. Each of these requirements is unusual for an Internet-based client-server software package. When considered together they raise a very large red warning flag. Security by obscurity is not normally taken to such extremes, especially by an Internet Financial Service Provider. No Corporate Security Officer or Network Security Consultant would normally allow an outside company to setup a server inside their client's network without complete disclosure and guarantees regarding what that internal server will be used for. Clients have no way of assuring that ADP's software will not be a source of viruses, trojans, or abused as a base for economic espionage or other local network probes. Any additional information regarding this Windows software would be greatly appreciated. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ADP payroll Roger Marquis (May 10)
- Re: ADP payroll Rick Smith at Secure Computing (May 11)
- Re: ADP payroll Roger Marquis (May 11)
- Re: ADP payroll Rick Smith at Secure Computing (May 11)