Test Certificates?

Robert Moskowitz rgm at ICSA.NET
Tue Jan 2 15:43:32 EST 2001

At 12:22 AM 12/30/2000 -0500, Ryan McBride wrote:

>Although implementing a certificate based authentication system will
>force the administrator to think and operate in a more structured
>fashion, there are drawbacks to using such a system that you're
>- Certificate based authentication results in a single point of
>   failure, the Certification Authority.

Proper hardware makes this really hard (other than physical and social
engineering together).  Products like Luna go a long way to protect the CA.

>- An attacker who subverts the CA certificate on either the initiator
>   or responder sides may be abled to mount a man-in-the-middle attack.

and the attacker can get the pre-shared secret.  probably easier.

>Certificate based authentication shifts around the problems of key
>management and distribution, but it does not remove them.

depends on scale of the system.  With hundreds of users, pre-shared becomes
a management disaster.

any way, how do you do remote access with pre-shared?  Agressive mode?  Xauth?

They both have their place.

Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of the TruSecure Corporation
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished
if it doesn't matter who gets the credit

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list