Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... more info
From: Matthew Micene <matt () EXPRESSSEARCH COM>
Date: Tue, 31 Oct 2000 17:33:26 -0500
On Tuesday 31 October 2000 15:08, you wrote:
One of us is confused here. IMO, a VPN is not related to authentication.Please refer to the document I provided the link to: http://www.microsoft.com/NTServer/commserv/deployment/planguides/VPNSecu rity.asp page 6 where it states,"MS-CHAPS is an authentication machanism" and "recent developments with MS VPN technology include MS-CHAPS". No confusion here. Maybe at Microsoft.
Having attempted to read the above document and failed (I get nothing other than the Overview) I am going to weigh in on a few points that I think are salient, and amount more to questions than answers perhaps. I fear this may land off target from the thread however. First of all, both of the above statements are true. Neither of them relates to the other however. The inclusion of CHAPS into the MS VPN product has to do with the VPN authentication, as an alternative to PKI or other authentication means. What Drew meant, I think, was client authentication. VPN are designed to create a secure, encrypted pipe between two servers. It has nothing (that I know of) to ensure that an underlying application or particular user is authenticated. There is the implicit assumption that only authorized users have access to the VPN, but I wouldn't bet the farm on that one. Based on what has passed so far I have to ask what the aim of the project is. If you are talking about a server to server application for the transference between banking institutions, then a VPN with its extra hardware and software is not all that difficult to establish, and has the advantage (danger?) of known entities on either side of a secure pipe for the start of a transaction. If, however, you are talking about a consumer level product, creating a system based around a W2k VPN system is, well, suicide. Client side support for a home user attempting to set up a VPN and keep it running would not be within the scope of most help desks at a bank, and the assumption that most home users will be using W2k is forwardlooking at best. In my opinion, and many opinions on precisely how to manage the certificate system have been levied, it is possible to create a reasonably secure cash management application which utilizes certificates. Reliance on certificates alone is problematic, even properly managed. However, the use of a VPN vs. certificate system seems to beg the question of scope and business model as much as security implications. Hmm, rambled a bit more than I meant, just my 2 cents
Current thread:
- [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info L.W. (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... more info St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info krisk (Nov 02)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Matthew Micene (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info David Vandervort (Nov 01)