Re: SaveUserPassword in Cisco VPN Client with PIX

[Christian Eich <eich () wor net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

Paul Melson wrote:
> First of all, (and you'll probably hear this from plenty of list members),
> not requiring users to authenticate by hand is very risky.  Essentially,
> anyone that steals the .PCF file off of any client machine will be able to
> tunnel through your firewall.  This is a BAD THING(tm).
>
> That said, if you're bound and determined to do this, then why use XAUTH at
> all?  If you know that certain machines are going to need to connect via VPN
> client, create a vpngroup that only has vpngroup password set (so don't
> specify authentication-server, secure-unit-authentication, or
> user-authentication in vpngroup, or crypto map client authentication in the
> corresponding crypto map), create a new profile with just the group name and
> PSK, and install on your client machines.  Users double-click on a VPN
> profile and connect without a password prompt.
>
> IMHO, this is slightly less risky than requiring authentication with a
> password that is stored in the PCF file.  Those passwords are stored as
> hashes and susceptible to offline brute-force attacks.  If an attacker could
> potentially access your internal network, why on earth would you want to
> also provide them with user credentials to authenticate to directories and
> services that they are now able to communicate via?

Good Point :-)

First of all, these passwords are not the ones used in the internal network.
The VPN doesn't even end in the internal network.

The VPN is used for 500 sales people who get email and downloads that are
individually prepared for them (mostly updates on contracts which are already
stored on the notebook). So if someone steals that notebook he already has
the data. The stored password only provides him with subsequent updates
plus email.

On the other hand these people come and go. So we need to lock them out
individually when they leave the company. Therefore we want to use XAUTH.

I hope this explains why I want to do it. I just dont know how.

I'm currently testing a suggestion to write protect the pcf file. You'll
get a summary on the solution, one i got it working.

Regards,
Christian Eich

- --
WorNet Aktiengesellschaft
Dipl.Chem. Christian Eich
Bürgermeister-Graf-Ring 28
82538 Geretsried-Gelting

Tel: 08171/41809-0
Fax: 08171/41809-9

http://www.wor.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCLIjNyjL3TCu824YRAqRqAJ9yxXE3fqpv7gwLroGuHtHB3yHllwCePq+B
fFdAx6juzPVm/W23YX9wEUc=
=qx85
-----END PGP SIGNATURE-----

Attachment: eich.vcf
Description: