RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX

From: R. Benjamin Kessler (rbk_at_midwestnsg.com)
Date: 03/11/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 11 Mar 2005 13:35:35 -0500
    
    

    What about using certificates instead? Recent versions of the Cisco VPN
    client offers this as a method of authentication instead of passwords;
    this would help fix the end-user "problem" without creating a potential
    stolen laptop security risk.

    ~~~~~~~~~~
    R. Benjamin Kessler
    Sr. Network Consultant
    CCIE #8762, CISSP, CCSE
    Midwest Network Services Group
    Email: rbk@midwestnsg.com
    http://www.midwestnsg.com
    Phone: 260-625-3273

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-
    > admin@honor.icsalabs.com] On Behalf Of Paul Melson
    > Sent: Monday, March 07, 2005 4:32 PM
    > To: 'Christian Eich'
    > Cc: firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    >
    > Christian,
    >
    > If it's worth keeping individual users access separate, then IMHO it
    is
    > still worth making them sign on manually, even if the password is only
    > useful for a handful of things.
    >
    > Write-protecting the .pcf file will maintain SaveUserPassword=1. This
    is
    > probably easier than asking the PIX to do it. I think you would have
    to
    > use
    > some variation of 'isakmp peer ... no-config-mode' since IKE Config
    Mode
    > is
    > what sets this policy on the client (along with DNS/WINS/domain,
    etc.).
    > This is really meant to allow site-to-site tunnels to share isakmp and
    > crypto map configs with VPN clients on the same PIX by creating
    exceptions
    > for specific peer addresses. Using this with a large number of VPN
    > clients
    > would be messy. Neither means is especially elegant.
    >
    > PaulM
    >
    >
    > -----Original Message-----
    > Subject: Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    >
    > Good Point :-)
    >
    > First of all, these passwords are not the ones used in the internal
    > network.
    > The VPN doesn't even end in the internal network.
    >
    > The VPN is used for 500 sales people who get email and downloads that
    are
    > individually prepared for them (mostly updates on contracts which are
    > already stored on the notebook). So if someone steals that notebook he
    > already has the data. The stored password only provides him with
    > subsequent
    > updates plus email.
    >
    > On the other hand these people come and go. So we need to lock them
    out
    > individually when they leave the company. Therefore we want to use
    XAUTH.
    >
    > I hope this explains why I want to do it. I just dont know how.
    >
    > I'm currently testing a suggestion to write protect the pcf file.
    You'll
    > get
    > a summary on the solution, one i got it working.
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"