|
Firewall Wizards
mailing list archives
Re: VPNmadness gets more support;
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 4 Feb 2005 11:22:49 -0500 (EST)
Howdy Kevin,
I think one fact of the study stands out, and resemeble FUD in no way;
Security practices
The majority of VPN vendors still allow their implementations to leak
information about valid usernames and do not lock
out accounts after a number of failed attempts. This does not happen on
operating system login and should not occur on
VPN implementations.
Sure, the rest of the problems can be said to be admin/implimentation
issues, of course then, my earlier research and findings were also mainly
aimed at admin/implimentation usses as well, commonplace practices.
Commonplace enough to make them the 'norm', there lies the problem.
Thanks,
Ron DuFresne
On Fri, 4 Feb 2005, Kevin Sheldrake wrote:
That article reads like a lot of FUD IMHO.
According to the NTA Monitor article, the attacks centred around username
enumeration, password hash capturing through use of Aggressive Mode and
off-line password cracking.
I don't doubt that a badly configured VPN is insecure (use of the Null
encryption algorithm springs to mind) and that statistics can claim how
many are probably insecure, but I do think that the focus is incorrectly
directed at the VPN technology and not at the
users/admins/consultants/whoever.
Use certificates. Don't use Aggressive Mode. Patch the software. Don't
spread FUD unless you have too. ;)
Kev
We asked about a year and a half ago <maybe two years ago even...> a
number of folks on and off this list if our prediction that the use of
VPN's resulted in our suspected hypothoses that 75% or more of all the
VPN
solutions in place actually did little or nothing to protect assests for
those employing them, well, the precentage we claimed at the time should
perhaps be boosted to 90%+ now eh:
February 01, vnunet.com - Virtual private networks (VPNs) are often the
weakest security link, study says. A three-year research project by
securityfirm NTA Monitor has concluded that nine out of 10 virtual
private
networks(VPNs) have exploitable vulnerabilities. Most of the companies
that
had their VPNs tested as part of the project thought that they were
invulnerableto hackers, but researchers found the same types of flaw
repeated across the whole product range. The report stated that, in some
cases, VPNs were actually the weakest security link in an organization.
The most widespread flaw involved the hacking of user names. Other
vulnerabilities center around password cracking.
Report: http://www.nta-monitor.com/news/vpn-flaws/index.htm
Source: http://www.vnunet.com/news/1160912
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
...Love is the ultimate outlaw. It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice. Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question. The words
"make" and "stay" become inappropriate. My love for you has no
strings attached. I love you for free...
-Tom Robins <Still Life With Woodpecker>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
