Ladies & Gents,

IRE (http://www.safenet-inc.com/index.asp) make a software VPN solution
called Safenet/Soft-PK. This solution is also rebadged by Cisco. Some of you
may use it, some may never have heard of it.

For those familiar with it, I have a bug.

When you save a policy with it and choose to make it lockable, there are two
flaws.
1. It is saved in plaintext.
2. It is editable and reloadable in Notepad.

Eg . "IPADDR" =dword:0a810a01
        "PORTNAME"="SQL"
        "PORT"=dword:00000599

        This maps an SQL Port (1433) to box 10.129.10.1

        "IPADDR" =dword:0a810a01
        "PORTNAME"="DEMO"
        "PORT"=dword:00000017

        This is now mapped to port 23 on the same box.

If you reload an edited policy it loads completely, still showing the "This
Policy Is Locked"

I know that you will still need a certificate or pre-shared key
I know that this software should only be used by trusted sources.

Please note that good security on the/your firewall should be implemented in
case of such a breach.

I hope that IRE can implement some safer encryption on their policy files.

Sincerely,

Jolyon Ansuz

Network Administrator
E*Trade Australia
telephone: +61 2 92535439
facsimile: +61 2 92474599
email: jolyonaetrade.com.au
-------------------------------------------------------------- - - -
The contents of this message do not reflect the views or in any way the
opinion of E*Trade Australia and/or it's subsidiaries. They also accept no
responsibility or liability for it whatsoever.
-------------------------------------------------------------- - - -
Homo homini lupus.

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]