audit perspective: proof that all connections are encrypted

From: Florin Andrei (florin_at_andrei.myip.org)
Date: 09/16/05

  • Next message: David Wolever: "ssh -R only listening on lo"
    To: secureshell@securityfocus.com
    Date: Thu, 15 Sep 2005 16:05:38 -0700
    
    

    I have what's perhaps a slightly unusual question.

    Suppose company X is going through an audit (think: SOX). Suppose one of
    the questions that the auditors ask is: "we want proof that all your
    remote access devices only allow encrypted connections, not plaintext".

    With a VPN concentrator, that's easy: you show them the encryption
    algorithms that are enabled, show them that plaintext is a disabled
    option and they're happy.

    But how about openssh? Which is the config item in sshd_config that says
    "if the client does not agree with all these encryption schemes, all of
    which are not plaintext, terminate the connection"?

    Essentially, we have to prove that plaintext is rejected by the server.

    Any connection with the Ciphers and MACs options in sshd_config?

    Hopefully I'm making myself understood. This is not a strictly technical
    question, it's somewhere on the border between technical issues and
    legal issues. I need an answer that will satisfy people who are not
    geeks - if I'm being sent in the right direction I can build a coherent
    response myself (hopefully) but I need a starting point.

    I believe that this kind of issue will become more common in the near
    future, as the practice of auditing will extend to more and more
    companies.

    Thanks,

    -- 
    Florin Andrei
    http://florin.myip.org/
    

  • Next message: David Wolever: "ssh -R only listening on lo"