Penetration Testing mailing list archives
[PEN-TEST] Your opinions are solicited ...
From: Jim Miller <MillerJ () FABSSB COM>
Date: Mon, 30 Oct 2000 17:53:21 -0600
.. on the configuration of security for an Internet application to be deployed. The bank that I work for is planning to deploy a cash mgt application on the internet. They propose to secure the application and its face on the Net with SSL and MS Certificate Server. The sessions will be protected from Net snooping by SSL's 132 bit encryption, " as strong as IP tunnelling". Access will be controlled by installing a certificate on each remote client. The installation is done via download from the Certificate Server, but is a manual process: the remote will request the certificate and the server will download only after a process is started by support. The IT staff is unsure where the certificate resides on the client. They suppose it to be both file based and in the Registry. They have tried the "certificate export" process in IE and found that it will not export, so they are satisfied that it provides the level of security required to secure a cash mgt application. They note that the HTML page presented to IE without the certificate is an error page. There is no way to get at the certiciate on the Net site. The cash mgt application has its own security, but I note that it is application level security, and that using only logonid / password authentication across the Net is generally held to be a mistake. I have recommended using VPN, now readily available in Win2000, but have been rejected. "A support nightmare." was the reason given. What do you think of the security schema planned? What schema would you use? What do you think of the reason given for not using VPN? I hope your conclusions will be the same as mine. To make my point, I will most likely have a URL for testing later in the week. If you are interested in hitting against it, please let me know directly. Any questions I can answer to clarify, please let me know. Thanks. Jim Miller, CISA, CDP VP & IS Audit Mgr First American Bank Texas Bryan, Texas 77805-8100 979/361-6515 801/835-5546 millerj () fabssb com
Current thread:
- [PEN-TEST] Your opinions are solicited ... Jim Miller (Oct 31)
- Re: [PEN-TEST] Your opinions are solicited ... Thomas Reinke (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... krisk (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions are solicited ... St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Frank Knobbe (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Deus, Attonbitus (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
(Thread continues...)