>Since these people are at customer sites, there is a real potential for
>local eavesdropping. While the one-time-password scheme protects the
>firewall from intrusion, it doesn't protect all of the internal
>machines that the user might log into once he is on the gateway, and
>those passwords will still be sent in the clear. The Internet gateway
>isn't the only way in, and there is a possibility that the passwords
>used on internal machines might also be used on modem servers and the
>like.
What you really need to do is make sure that the same
level of access control is (within reason) applied across the
board. If your only internet access route is through the firewall,
and it requires strong authentication (challenge/response or one time)
then you theoretically don't have to worry about disclosing
internal passwords.
However, if, as you say, those passwords might also be
used on dialup terminal servers, then you might want to consider
either securing your terminal servers the same way, or encouraging
your users to have different terminal server passwords. The latter
isn't particularly strong.
Generally, you want to make sure you've got a consistent
level of security around your perimeter. So if you're paranoid
enough to require strong authentication for incoming internet
accesses (you should be) you should also consider being paranoid
enough to require it for dialin. Sometimes practicality and business
considerations may make it too unattractive and you need to just
identify that threat as a residual risk, keep your eye on it,
and proceed with business as usual.
Figure out where you're most likely to be attacked from
and block it first (direct internet password sniffs is a good bet)
and then worry about the other stuff.
>It seems like the only safe way to do this is to actually give the
>remote user an encrypted telnet capability so that even the clear
>passwords aren't sniffable at the remote site.
This means that the remote site will need to have a copy
of your encrypting telnet, and will have to be capable of
running it. I.e.; it can't be a terminal server or something
dumb like that. Also, if you're getting *that* paranoid, consider
that the remote machine itself could be logging your keystrokes
in the tty driver, either by someone scanning clists or by a
hacked kernel... That's paranoid for you. :) But make sure that
the level of attack you're worrying about resisting is consistent.
Someone who might sniff your password and telnet into you isn't
necessarily going to go to the effort to tap your phone, or social
engineer your modem pool numbers out of your secretaries, or
whatever.
mjr.
|
|
