Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Your opinions are solicited ...
From: Shawn Davenport <shawn.davenport () CURRENEX COM>
Date: Tue, 31 Oct 2000 09:48:24 -0800

Hey Jim, folks,
I would tend to agree, the use of VPN would be, "a support nightmare."
Although we are considering this, or perhaps more of a point to point
connection as a solution for customers who require a higher level of
security.  We currently employ an auth scheme, similar to what you have
described below. Here is the process, which may help you understand the use
of certs a bit better, or maybe I'll just confuse the issue.

A client must work w/ our Customer Assurance people to first have an account
created. Their uname/PIN (and some other things) are then sent to them via
other channels. From there the client can connect to our Certificate Server
and request a cert. Our CS verifies against the account database that said
client is allowed to be issued a cert. Assuming the uname/PIN etc are
entered correctly and the account hasn't been disabled, then the client is
asked to generate a key pair on their system. Next the CSR or Certificate
Request is sent to us, which contains the clients public key among other
things. This request is then passed up to our CA or Certificate Authority,
Verisign, where the actual cert is generated and then finally passed back to
the client and installed into their browser. (note, I didn't think there was
a way to prevent a client-side cert from being exported... but...)

The client can then proceed to our web-service and login, again using the
uname/PIN (PIN, which must then be changed) and their cert must be present.
They are asked to accept our Cert which is verified by Verisign. This entire
process is carried out over a 128bit-SSL session. All of this seems to
provide a very reliable way to verify both parties to each other. The other
points brought up so far are very valid. Ie the support overhead needed to
manage Certificates along w/ the issue of the clients system being
compromised. As for the latter, if that's the case, then game is over and
we've lost! For the overhead of the certs, things have gone very smoothly
for us, but we also have a very small customer base, >1000.

A lot of this is going to depend up your specific service and your customers
needs in regards to security, or what they want/ think they need. There are
a lot of other things you can do to make things more secure, perhaps
smartcards/ SecureID, one time passwords, etc. You just have to determine at
what point things being to cost too much to employ.

Thoughts, comments, anyone?! Hopefully I didn't get anything wrong in the
process above...
Shawn Davenport
Security Engineer

-----Original Message-----
From: Jim Miller [mailto:MillerJ () FABSSB COM]
Sent: Monday, October 30, 2000 3:53 PM
Subject: [PEN-TEST] Your opinions are solicited ...

.. on the configuration of security for an Internet application to be
deployed.  The bank that I work for is planning to deploy a cash mgt
application on the internet.  They propose to secure the application and its
face on the Net with SSL and MS Certificate Server.

The sessions will be protected from Net snooping by SSL's 132 bit
encryption, " as strong as IP tunnelling".

Access will be controlled by installing a certificate on each remote client.
The installation is done via download from the Certificate Server,  but is a
manual process:  the remote will request the certificate and the server will
download only after a process is started by support.

The IT staff is unsure where the certificate resides on the client.  They
suppose it to be both file based and in the Registry.  They have tried the
"certificate export" process in IE and found that it will not export, so
they are satisfied that it provides the level of security required to secure
a cash mgt application.  They note that the HTML page presented to IE
without the certificate is an error page.  There is no way to get at the
certiciate on the Net site.

The cash mgt application has its own security, but I note that it is
application level security, and that using only logonid / password
authentication across the Net is generally held to be a mistake.

I have recommended using VPN, now readily available in Win2000, but have
been rejected.  "A support nightmare." was the reason given.

What do you think of the security schema planned?
What schema would you use?
What do you think of the reason given for not using VPN?

I hope your conclusions will be the same as mine.  To make my point, I will
most likely have a URL for testing later in the week.  If you are interested
in hitting against it, please let me know directly.  Any questions I can
answer to clarify, please let me know.


Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas   77805-8100
millerj () fabssb com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]