audit perspective: proof that all connections are encrypted
From: Florin Andrei (florin_at_andrei.myip.org)
To: email@example.com Date: Thu, 15 Sep 2005 16:05:38 -0700
I have what's perhaps a slightly unusual question.
Suppose company X is going through an audit (think: SOX). Suppose one of
the questions that the auditors ask is: "we want proof that all your
remote access devices only allow encrypted connections, not plaintext".
With a VPN concentrator, that's easy: you show them the encryption
algorithms that are enabled, show them that plaintext is a disabled
option and they're happy.
But how about openssh? Which is the config item in sshd_config that says
"if the client does not agree with all these encryption schemes, all of
which are not plaintext, terminate the connection"?
Essentially, we have to prove that plaintext is rejected by the server.
Any connection with the Ciphers and MACs options in sshd_config?
Hopefully I'm making myself understood. This is not a strictly technical
question, it's somewhere on the border between technical issues and
legal issues. I need an answer that will satisfy people who are not
geeks - if I'm being sent in the right direction I can build a coherent
response myself (hopefully) but I need a starting point.
I believe that this kind of issue will become more common in the near
future, as the practice of auditing will extend to more and more
-- Florin Andrei http://florin.myip.org/