Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... more info
From: Jim Miller <MillerJ () FABSSB COM>
Date: Tue, 31 Oct 2000 14:08:24 -0600
One of us is confused here. IMO, a VPN is not related to authentication.
Please refer to the document I provided the link to: http://www.microsoft.com/NTServer/commserv/deployment/planguides/VPNSecurity.asp page 6 where it states,"MS-CHAPS is an authentication machanism" and "recent developments with MS VPN technology include MS-CHAPS". No confusion here. Maybe at Microsoft.
Having the application and the process used to protect access to it (the CA) on the same machine is possibly the most foolish thing I can think of in this situation. I would have them on seperate machines with a firewall between them, but I'm paranoid.
Good point. I wanted to tell my client that it was a mistake, but was worn out by speculation about the previous exposures that had been enumerated to me, and didn't want to have to argue another.
Am I the only one who thinks certificate use without the presence of a trusted third party in such an application as this is a bad solution?
Why should I pay a 3rd party to issue certificates when I can do it myself? I need to trust my client; the client does not need to trust me. I just need to know that it is really the customer who wants to move money.
Personally, I don't like PPTP as a VPN solution. Its yucky. But in any event, the protection of the data in transit is quite different than the means to authenticate access. So the real question here is "Do I use CHAP/MS/Certificate authentication or do I use just certificate based authentication. The only addition that PPTP provides is that tunnel, and for tunneling I say you can't beat IPSec.
Refer to the same MS document above, on page 11, in a chapter called "Tunneling with L2TP", where it states that "IPSec enables server to server tunneling ... rather than being used for client-server tunneling." . Doesn't look like the white paper was written by marketing people, so I'll take their word for it.
I also agree, open is open.
Thank you. If there is anything I hate worse than being smoked, it's someone who should know better trying to smoke me, and thinking they got away with it. And in my best Racehorse Haines imitation, "I don't get billable hours!". Jim Miller, CISA, CDP VP & IS Audit Mgr First American Bank Texas Bryan, Texas 77805-8100 979/361-6515 801/835-5546 millerj () fabssb com
Current thread:
- [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info L.W. (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... more info St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info krisk (Nov 02)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Matthew Micene (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info David Vandervort (Nov 01)