Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: iPad and access to university ERP

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 21 Jul 2010 16:51:33 -0700
 Right. Now, hopefully wireless access into an internal network is protected by WPA2, which would help. That said, once 
it hits a regular wire (true for wireless encryption or a VPN tunnel), 40-bit encryption isn't ideal for traffic.

 The best solution I can think of is a policy restriction that requires encryption to be above a certain level for any 
applications used (e.g. 128-bit or higher). 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security Office
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie
Sent: Wednesday, July 21, 2010 4:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

Dave Koontz wrote:

But, if they "force" VPN connections to access the RDP desktop session
to begin with, you have the VPN security in front of the weaker MS RDP
encryption.  Seems safe enough to me.


The original post only says that VPN use is forced from off-campus. If this
person is using RDP over the local wireless on-campus, then the 40-bit crypto
could be all that's protecting the session if the wireless network doesn't
require 802.1x.

--Matt




On 7/21/2010 7:22 PM, Ullman, Catherine wrote:

The 40-bit reference appears to be to the software itself, which is
an add-on app that can be downloaded and installed from a third
party.  Note the line that says "40-bit encryption" is a
limitation:

http://www.mochasoft.dk/iphone_rdp_help/help.htm

So yes, I'd say there is a distinct concern.

-Cathy

Catherine J. Ullman Information Security Analyst Information Security
Office University at Buffalo cende () buffalo edu



________________________________________ From: The

EDUCAUSE Security

Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On

Behalf

Of Basgen, Brian [bbasgen () PIMA EDU] Sent: Wednesday, July 21, 2010
7:13 PM To:
SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPad and
access to university ERP

Apple has an overview of security on the iPad here:


http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf



This is an interesting read: I didn't know, for example, that the
iPad appears to have quasi FDE functionality: "256-bit AES encoding
hardware-based encryption to protect all data on the device.
Encryption is always enabled and cannot be disabled by users."

The lowest algorithm I can see in the document is 3DES, which is
typically implemented at either 112 or 168 bit strength. I don't see
anything about 40-bit, but to the previous poster, that would be a
concern since 40-bit is well within the realm of brute force.
By the looks of the Apple publication, however, the iPad appears to
have some pretty good security controls.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security

Office

Pima Community College Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP,

MICHAEL

Sent: Wednesday, July 21, 2010 3:45 PM To:
SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPad and
access to university ERP

But...given that the session *is* encrypted - and not persistent -
wouldn't *any* kind of encryption be serviceable for something like
this?  (I'm thinking that is someone *really* wanted the data, they
aren't going to try and tunnel through a relatively random wireless
connection....?)

Just a thought...

M

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Schaffer
Sent: Wednesday, July 21, 2010 10:36 AM To:
SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPad and
access to university ERP

I believe the encryption is only 40 bit.

Greg

Greg Schaffer, CISSP Assistant Vice President Network and Information
Technology Security Middle Tennessee State University
615 898-5753

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Rowe
Sent: Wednesday, July 21, 2010 11:19 AM To:
SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] iPad and access

to

university ERP

I just received this email from a department manager:

"First thing I did was installed an app called Remote Desktop Lite
(free). I used that to remote into my Windows machine on my desk and
it worked beautifully. I pulled up Banner and found it to be really
easy to work with on the iPad. What I liked the most was I didn't
have to tab into the entry fields. I could touch them and the cursor
would move. If I only had that on my desktop!"

Wonderful....  So I'm thinking what is open on the desktop and what
is the security of the transmission.  We force VPN use from
off-campus.  I thought we had the remote desktop thing handled in
terms of accessing our ERP.

Am I unreasonably concerned?

-- Theresa Rowe Chief Information Officer Oakland University **Think
Green - Think before you print.**

-- This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

-- This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.



--
Matt Gracie                       (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS              Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Previous By Date Next
Previous By Thread Next

Current thread: