RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
From: R. Benjamin Kessler (rbk_at_midwestnsg.com)
Date: 03/11/05
- Previous message: R. DuFresne: "Re: [fw-wiz] MJR on Linux/OSS"
- Maybe in reply to: Christian Eich: "[fw-wiz] SaveUserPassword in Cisco VPN Client with PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Fri, 11 Mar 2005 13:35:35 -0500
What about using certificates instead? Recent versions of the Cisco VPN
client offers this as a method of authentication instead of passwords;
this would help fix the end-user "problem" without creating a potential
stolen laptop security risk.
~~~~~~~~~~
R. Benjamin Kessler
Sr. Network Consultant
CCIE #8762, CISSP, CCSE
Midwest Network Services Group
Email: rbk@midwestnsg.com
http://www.midwestnsg.com
Phone: 260-625-3273
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Paul Melson
> Sent: Monday, March 07, 2005 4:32 PM
> To: 'Christian Eich'
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
>
> Christian,
>
> If it's worth keeping individual users access separate, then IMHO it
is
> still worth making them sign on manually, even if the password is only
> useful for a handful of things.
>
> Write-protecting the .pcf file will maintain SaveUserPassword=1. This
is
> probably easier than asking the PIX to do it. I think you would have
to
> use
> some variation of 'isakmp peer ... no-config-mode' since IKE Config
Mode
> is
> what sets this policy on the client (along with DNS/WINS/domain,
etc.).
> This is really meant to allow site-to-site tunnels to share isakmp and
> crypto map configs with VPN clients on the same PIX by creating
exceptions
> for specific peer addresses. Using this with a large number of VPN
> clients
> would be messy. Neither means is especially elegant.
>
> PaulM
>
>
> -----Original Message-----
> Subject: Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
>
> Good Point :-)
>
> First of all, these passwords are not the ones used in the internal
> network.
> The VPN doesn't even end in the internal network.
>
> The VPN is used for 500 sales people who get email and downloads that
are
> individually prepared for them (mostly updates on contracts which are
> already stored on the notebook). So if someone steals that notebook he
> already has the data. The stored password only provides him with
> subsequent
> updates plus email.
>
> On the other hand these people come and go. So we need to lock them
out
> individually when they leave the company. Therefore we want to use
XAUTH.
>
> I hope this explains why I want to do it. I just dont know how.
>
> I'm currently testing a suggestion to write protect the pcf file.
You'll
> get
> a summary on the solution, one i got it working.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: R. DuFresne: "Re: [fw-wiz] MJR on Linux/OSS"
- Maybe in reply to: Christian Eich: "[fw-wiz] SaveUserPassword in Cisco VPN Client with PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
