Re: [fw-wiz] VPNmadness gets more support;
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 02/04/05
- Previous message: Avishai Wool: "[fw-wiz] risk level associated with VPNs?"
- In reply to: R. DuFresne: "[fw-wiz] VPNmadness gets more support;"
- Next in thread: R. DuFresne: "Re: [fw-wiz] VPNmadness gets more support;"
- Reply: R. DuFresne: "Re: [fw-wiz] VPNmadness gets more support;"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "R. DuFresne" <dufresne@sysinfo.com>, "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com> Date: Fri, 04 Feb 2005 13:05:10 -0000
That article reads like a lot of FUD IMHO.
According to the NTA Monitor article, the attacks centred around username
enumeration, password hash capturing through use of Aggressive Mode and
off-line password cracking.
I don't doubt that a badly configured VPN is insecure (use of the Null
encryption algorithm springs to mind) and that statistics can claim how
many are probably insecure, but I do think that the focus is incorrectly
directed at the VPN technology and not at the
users/admins/consultants/whoever.
Use certificates. Don't use Aggressive Mode. Patch the software. Don't
spread FUD unless you have too. ;)
Kev
>
> We asked about a year and a half ago <maybe two years ago even...> a
> number of folks on and off this list if our prediction that the use of
> VPN's resulted in our suspected hypothoses that 75% or more of all the
> VPN
> solutions in place actually did little or nothing to protect assests for
> those employing them, well, the precentage we claimed at the time should
> perhaps be boosted to 90%+ now eh:
>
>
> February 01, vnunet.com - Virtual private networks (VPNs) are often the
> weakest security link, study says. A three-year research project by
> securityfirm NTA Monitor has concluded that nine out of 10 virtual
> private
> networks(VPNs) have exploitable vulnerabilities. Most of the companies
> that
> had their VPNs tested as part of the project thought that they were
> invulnerableto hackers, but researchers found the same types of flaw
> repeated across the whole product range. The report stated that, in some
> cases, VPNs were actually the weakest security link in an organization.
> The most widespread flaw involved the hacking of user names. Other
> vulnerabilities center around password cracking.
> Report: http://www.nta-monitor.com/news/vpn-flaws/index.htm
> Source: http://www.vnunet.com/news/1160912
>
> Thanks,
>
>
> Ron DuFresne
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Avishai Wool: "[fw-wiz] risk level associated with VPNs?"
- In reply to: R. DuFresne: "[fw-wiz] VPNmadness gets more support;"
- Next in thread: R. DuFresne: "Re: [fw-wiz] VPNmadness gets more support;"
- Reply: R. DuFresne: "Re: [fw-wiz] VPNmadness gets more support;"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
