Firewall Wizards mailing list archives
Re: SaveUserPassword in Cisco VPN Client with PIX
From: Christian Eich <eich () wor net>
Date: Mon, 07 Mar 2005 18:01:05 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, Paul Melson wrote:
First of all, (and you'll probably hear this from plenty of list members), not requiring users to authenticate by hand is very risky. Essentially, anyone that steals the .PCF file off of any client machine will be able to tunnel through your firewall. This is a BAD THING(tm). That said, if you're bound and determined to do this, then why use XAUTH at all? If you know that certain machines are going to need to connect via VPN client, create a vpngroup that only has vpngroup password set (so don't specify authentication-server, secure-unit-authentication, or user-authentication in vpngroup, or crypto map client authentication in the corresponding crypto map), create a new profile with just the group name and PSK, and install on your client machines. Users double-click on a VPN profile and connect without a password prompt. IMHO, this is slightly less risky than requiring authentication with a password that is stored in the PCF file. Those passwords are stored as hashes and susceptible to offline brute-force attacks. If an attacker could potentially access your internal network, why on earth would you want to also provide them with user credentials to authenticate to directories and services that they are now able to communicate via?
Good Point :-) First of all, these passwords are not the ones used in the internal network. The VPN doesn't even end in the internal network. The VPN is used for 500 sales people who get email and downloads that are individually prepared for them (mostly updates on contracts which are already stored on the notebook). So if someone steals that notebook he already has the data. The stored password only provides him with subsequent updates plus email. On the other hand these people come and go. So we need to lock them out individually when they leave the company. Therefore we want to use XAUTH. I hope this explains why I want to do it. I just dont know how. I'm currently testing a suggestion to write protect the pcf file. You'll get a summary on the solution, one i got it working. Regards, Christian Eich - -- WorNet Aktiengesellschaft Dipl.Chem. Christian Eich Bürgermeister-Graf-Ring 28 82538 Geretsried-Gelting Tel: 08171/41809-0 Fax: 08171/41809-9 http://www.wor.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCLIjNyjL3TCu824YRAqRqAJ9yxXE3fqpv7gwLroGuHtHB3yHllwCePq+B fFdAx6juzPVm/W23YX9wEUc= =qx85 -----END PGP SIGNATURE-----
Attachment:
eich.vcf
Description:
Current thread:
- SaveUserPassword in Cisco VPN Client with PIX Christian Eich (Mar 04)
- RE: SaveUserPassword in Cisco VPN Client with PIX Paul Melson (Mar 09)
- <Possible follow-ups>
- Re: SaveUserPassword in Cisco VPN Client with PIX Christian Eich (Mar 09)
- RE: SaveUserPassword in Cisco VPN Client with PIX Paul Melson (Mar 09)
- RE: SaveUserPassword in Cisco VPN Client with PIX R. Benjamin Kessler (Mar 12)