rgm at ICSA.NET
Tue Jan 2 15:43:32 EST 2001
At 12:22 AM 12/30/2000 -0500, Ryan McBride wrote:
>Although implementing a certificate based authentication system will
>force the administrator to think and operate in a more structured
>fashion, there are drawbacks to using such a system that you're
>- Certificate based authentication results in a single point of
> failure, the Certification Authority.
Proper hardware makes this really hard (other than physical and social
engineering together). Products like Luna go a long way to protect the CA.
>- An attacker who subverts the CA certificate on either the initiator
> or responder sides may be abled to mount a man-in-the-middle attack.
and the attacker can get the pre-shared secret. probably easier.
>Certificate based authentication shifts around the problems of key
>management and distribution, but it does not remove them.
depends on scale of the system. With hundreds of users, pre-shared becomes
a management disaster.
any way, how do you do remote access with pre-shared? Agressive mode? Xauth?
They both have their place.
Senior Technical Director
ICSA Labs, a division of the TruSecure Corporation
Fax: (248) 968-2824
rgm at icsa.net
There's no limit to what can be accomplished
if it doesn't matter who gets the credit
VPN is sponsored by SecurityFocus.COM
More information about the VPN