From frankw@in.net Tue Sep 3 07:23:31 1996 Received: from su1.in.net (su1.in.net [199.0.62.2]) by suburbia.net (8.7.4/Proff-950810) with SMTP id HAA04011 for ; Tue, 3 Sep 1996 07:23:27 +1000 Received: from pm1-19.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA25924; Mon, 2 Sep 96 16:23:51 -0400 Date: Mon, 2 Sep 96 16:23:51 -0400 Message-Id: <9609022023.AA25924@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: best-of-security@suburbia.net From: Frank Willoughby Subject: Re: BoS: Re: S/key & secureid At 10:52 PM 8/31/96 -0400, "Gary G. Hull" allegedly wrote: >On Thu, 29 Aug 1996 potlicker@morebbs.com wrote: > >> Anyone one else had trouble or success getting Secure ID to run on a >> TIS Gauntlet? >> PoT_LiCkEr 8< [snip] >We had great success getting securid running on our TIS. All we had to do > was register the TIS box with the master server, move a copy > of the sdconf.rec file to the /var/ace directory on the TIS and > remove the existing securid file. A new securid file is created > by the system at the time the first authentication login is > accomplished. > Hope this helps. Good luck.... > > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > email: gary_hull@glaxowellcome.com Hopefully, the SecurID connection is being used to authenticate internal users before they go to the Internet and not for incoming connections. Using SecurID (or Digital Pathways, S/Key, etc) is *lethal* if you are planning on using it to authenticate users from the Internet who wish to access a system on your internal network which is protected by the firewall. The reason is that the user may have his/her session hijacked by an attacker. Please note that this is *NOT* a security problem with Gauntlet or any other firewall. The problem is relying on authentication-only mechanisms for protection. Implementing User->Firewall encryption will help to solve this problem. Again, I strongly advise against using SecurID (or any other authentication- only solution) for incoming Internet connections to an internal system. Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist