Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: [PEN-TEST] Your opinions ... more info
From: Jim Miller (MillerJFABSSB.COM)
Date: Tue Oct 31 2000 - 11:44:44 CST

Thank you for all of your responses. It was late and I neglected to include some significant details. I will try to make all clarifications here. Keep in mind my job function: I am an IT auditor. My job is to reduce technical business risk. I am consulting to my client, who is not all that cooperative and forthcoming, and appears from my experience not to understand completely the technology being deployed. But that may just be smoke and mirrors to keep me from interfering.

Is the certificate authentication process adequate for the cash mgt application, or is a VPN recommended? All other issues are off target.

On the outside of the firewall is Cisco 1720 with public addressing. There is an intrusion detection server connected to it, and of course it has connections to the firewall and to the Net. On the inside of the firewall is the internal network using proprietary addressing. The DMZ/firewall island uses proprietary addressing, and this is where the cash mgt application and the certificate server are to be located, probably both on the same box. The firewall is configured to protect the island from both inside and outside access.

The bank will issue its own certificates using MS Certificate Server. They will not use the recommended method, certificate hierarchy. They will instead manually set up and issue certificates to clients when a request is approved. The certificates will be installed in MS IE by our support at client sites after receipt via email of the notification of certificate approval. Any detection of certificate compromise will be addressed by revocation and re-issuance to the client using the manual / approval process.

The cash mgt application controls password issuance and policy enforcement. The password data is located with the CMI application on the firewall island. Passwords are set up by a client security admin, who sets up client users. We don't need to get into this, as it is obvious that application based authentication is a weak control at best. [And to add insult to injury, the password length will be 6 bytes.] The issue is the reliance on the certificate schema versus the VPN. We could argue forever about the effectiveness of authentication by logonid/password, and I'd rather focus on the issue.

VPN Solution:
Windows 2000 Server and Windows 2000 clients was the solution I was recommending as a stronger solution. Given what I have read, I could not see where this solution would add any support burden over the certificate solution. This solution uses client/server IP tunneling with PPTP/L2TP, MS-CHAP v.2, and certificate authentication. See: http://www.microsoft.com/NTServer/commserv/deployment/planguides/VPNSecurity.asp From what I read, it is simple to implement. http://www.techrepublic.com/article.jhtml?src=search&id=r00220001018jim02.htm and is a much more secure solution for an application with high risk. It also would allow the use of NT password policy enforcement, a significant improvement over the application password schema.

Reasons for not using the VPN solution:
 From the responses I received from IT staff, I was under the impression that they were recommending a vendor's solution without due consideration of the security problem. I could not see, based on what I read, that the VPN solution would add any more support burden than the certificate schema, as they insisted. But I have never administered a VPN. Am I missing something here? What is the burden of administering a VPN to 50 clients who retain their configuration and use it daily?

SSL is to be used to secure the packets from view by the public over the Net. A debatable point is whether this solution is equal to the security provided by IP tunneling using the MS products above, and if I made a mistake saying 132 bit rather than 128 bit, it's a moot point.

A penetration test was run on the firewall and it was reported that 3 ports were left open. I was privy only to the summary report, and was told that the open ports were really not a problem, as "they only appeared to an outsider to be open. They were truly secured.". After learning more, I found a respected source who agreed that open is open. The point being that this certificate schema is only as strong as the firewall. It's a Cisco PIX Firewall Router, and I'm told not to worry, "It's an industry standard.". What is your opinion?

The client base will not exceed 200, so scaling is not really an issue.
Whatever solution is implemented, it will be from Microsoft. I can't fight city hall.
I'm told the client browser screen will show we are using HTTPS, not HTTP.
There is no requirements document and no design specs. This is typical for small IT shops. They just wing it.
There will be legal contracts with the customer/client, again a moot point, since the issue is the use of VPN as compared to certificates alone.
Physical security of the client is a recognised issue. The client can be compromised any number of ways if accessible. Again, not the issue under consideration here.

I hope this will allow us to focus in on the target: certificates alone versus VPN.


Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas 77805-8100