Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions are solicited ...
From: "St. Clair, James" <JStClair () VREDENBURG COM>
Date: Tue, 31 Oct 2000 07:00:24 -0800
Jim Miller asked.. What do you think of the security schema planned? First of all, it sounds like they want to deploy MS IIS to support the SSL sessions. There are enough flaws to choose from in IIS that is probably your first "support nightmare". Going with the MS solution gives you interoperability but a lengthy list of bug fixes from a less than admitting company. The sessions will be protected from Net snooping by SSL's 132 bit encryption, " as strong as IP tunnelling". Actually, it's not. Bruce Schneier just had an excellent post in his crypt mail list about the problems of 128, 132, or 264 (choose a number) bit encryption and "bit entropy" - whether the app could draw on a full random combination of 132 bits that gives you that 2(132) chances to try. Additionally, a 132 bit encryption that relies on a 7 or 9 character password can only generate entropy at the 40 bit level roughly. What schema would you use? I don't know. I don't know your OS, your network configuration, the number of entry points, the ISP, the number of modems, etc. that all may provide my access to your network, steal a password for the application, and have access to the client side of the transactions.
From a risk management perspective, your solution is
"probablyeffectivemostly". I would suggest something in the cash mgt app tie to my infrastructure management to allow realtime monitoring of transactions. Over time, an unauthorized user could be identified through IP addresses that don't correspond to authorized clients, in the event the SSL is compromised. What do you think of the reason given for not using VPN? Because security requires too much heavy lifting. If it is a "nightmare" top try to deploy Kerberos, IPsec, and PPTP as part of the Win2K suite, I'd look to a ISV solution. As pointed out in another post, a Cytrix metaframe combo may be a better idea. Win2K includes the kernel from Windows Terminal Server that has the Citrix WinFrame properties included, afaik. Hope this helps some, if but to further the discussion. James St. Clair (703) 412-4611
Current thread:
- [PEN-TEST] Your opinions are solicited ... Jim Miller (Oct 31)
- Re: [PEN-TEST] Your opinions are solicited ... Thomas Reinke (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... krisk (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions are solicited ... St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Frank Knobbe (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Deus, Attonbitus (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Shawn Davenport (Nov 01)
- [PEN-TEST] "Get out of Jail Free" Gary Warner (Nov 01)