mailing list archives
Re: [PEN-TEST] Your opinions are solicited ...
From: "St. Clair, James" <JStClair () VREDENBURG COM>
Date: Tue, 31 Oct 2000 07:00:24 -0800
Jim Miller asked..
What do you think of the security schema planned?
First of all, it sounds like they want to deploy MS IIS to support the SSL
sessions. There are enough flaws to choose from in IIS that is probably your
first "support nightmare". Going with the MS solution gives you
interoperability but a lengthy list of bug fixes from a less than admitting
The sessions will be protected from Net snooping by SSL's 132 bit
encryption, " as strong as IP tunnelling".
Actually, it's not. Bruce Schneier just had an excellent post in his crypt
mail list about the problems of 128, 132, or 264 (choose a number) bit
encryption and "bit entropy" - whether the app could draw on a full random
combination of 132 bits that gives you that 2(132) chances to try.
Additionally, a 132 bit encryption that relies on a 7 or 9 character
password can only generate entropy at the 40 bit level roughly.
What schema would you use?
I don't know. I don't know your OS, your network configuration, the number
of entry points, the ISP, the number of modems, etc. that all may provide my
access to your network, steal a password for the application, and have
access to the client side of the transactions.
From a risk management perspective, your solution is
I would suggest something in the cash mgt app tie to my infrastructure
management to allow realtime monitoring of transactions. Over time, an
unauthorized user could be identified through IP addresses that don't
correspond to authorized clients, in the event the SSL is compromised.
What do you think of the reason given for not using VPN?
Because security requires too much heavy lifting. If it is a "nightmare" top
try to deploy Kerberos, IPsec, and PPTP as part of the Win2K suite, I'd look
to a ISV solution.
As pointed out in another post, a Cytrix metaframe combo may be a better
idea. Win2K includes the kernel from Windows Terminal Server that has the
Citrix WinFrame properties included, afaik.
Hope this helps some, if but to further the discussion.
James St. Clair