Re: [PEN-TEST] Your opinions ... more info

[Jim Miller <MillerJ () FABSSB COM>]

The client responded that he did not want to support the additional cost of VPN.  I dispute that there is additional 
cost over cert/SSL.  What VPN adds is described on page 6 of the document, in a section titled "Requiring Use of 
Windows NT Passwords".  This allows use of MS Win NT administered password policies.  We should all read the document 
before we continue.

http://www.microsoft.com/NTServer/commserv/deployment/planguides/VPNSecurity.asp   



dsimonis () FIDERUS COM 10/31/00 01:17PM >>>
"St. Clair, James" wrote:
> I'd say stick the VPN. I agree, afaik Win2k makes VPNs fairly simple. Your
> client seems neither willing or able to truly take on the significance of
> handling certificates that precludes the emperor from being without clothes.
>
> Jim

Am I the only one who is of the mind that VPN is not congruent to an
authentication scheme?  From the OP's specifications, his VPN model
still used a certificate based auth method:

> VPN Solution:
> Windows 2000 Server and Windows 2000 clients was the solution I was
> recommending as a stronger solution.  Given what I have read, I could not
> see where this solution would add any support burden over the certificate
> solution.  This solution uses  client/server IP tunneling with PPTP/L2TP,
> MS-CHAP v.2, and certificate authentication.
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^

Either way, he is authenticating via cert.  Either way, he plans
to use SSL.  What advantage does PPTP offer to this solution?
What about PPTP makes the administration of this solution easier?

Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas   77805-8100
979/361-6515
801/835-5546
millerj () fabssb com