Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Your opinions ... more info

Re: [PEN-TEST] Your opinions ... more info

From: Jim Miller <MillerJ_at_FABSSB.COM>
Date: Tue, 31 Oct 2000 14:08:24 -0600

>>One of us is confused here. IMO, a VPN is not related to
>>authentication.

Please refer to the document I provided the link to:
http://www.microsoft.com/NTServer/commserv/deployment/planguides/VPNSecurity.asp
page 6 where it states,"MS-CHAPS is an authentication machanism" and "recent developments with MS VPN technology include MS-CHAPS". No confusion here. Maybe at Microsoft.

>>Having the application and the process used to protect access to it
>>(the CA) on the same machine is possibly the most foolish thing I
>>can think of in this situation. I would have them on seperate
>>machines with a firewall between them, but I'm paranoid.

Good point. I wanted to tell my client that it was a mistake, but was worn out by speculation about the previous exposures that had been enumerated to me, and didn't want to have to argue another.

>>Am I the only one who thinks certificate use without the presence
>>of a trusted third party in such an application as this is a bad
>>solution?

Why should I pay a 3rd party to issue certificates when I can do it myself? I need to trust my client; the client does not need to trust me. I just need to know that it is really the customer who wants to move money.

>>Personally, I don't like PPTP as a VPN solution. Its yucky. But in
>>any event, the protection of the data in transit is quite different
>>than the means to authenticate access. So the real question here is
>>"Do I use CHAP/MS/Certificate authentication or do I use just
>>certificate based authentication. The only addition that PPTP provides
>>is that tunnel, and for tunneling I say you can't beat IPSec.

Refer to the same MS document above, on page 11, in a chapter called "Tunneling with L2TP", where it states that "IPSec enables server to server tunneling ... rather than being used for client-server tunneling." . Doesn't look like the white paper was written by marketing people, so I'll take their word for it.

>>I also agree, open is open.

Thank you. If there is anything I hate worse than being smoked, it's someone who should know better trying to smoke me, and thinking they got away with it.

And in my best Racehorse Haines imitation, "I don't get billable hours!".

Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas 77805-8100
979/361-6515
801/835-5546
millerj_at_fabssb.com
Received on Nov 01 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]