I hope someone more qualified that me can chip in regarding the ins and outs
of NT crypto, but I can make a few points..
First of all, I consider it suboptimal policy to have the same box
authenticating passwords for local access and remote access. I prefer to
have NT Auth for the LAN (if it's an NT LAN ;) and Some Other Way (TACACS+,
S/Key, even a separate user/password list in the RAS box is better than
nothing) for users dialling in. This (in theory - ha!) keeps users reminded
of the fact that the RAS box is a link into the soft, tender underbelly of
the network and that they should be careful with CHOOSING and PROTECTING
their password.
NT boxes can often be tricked or forced into authenticating with weak
encryption or even in the clear. This makes you subject to sniffing,
Man-in-the-Middle etc. Grab L0pht Crack if you want to see how easy it is to
get passwords as they're flying past on your LAN. For a RAS box this
probably isn't a realistic worry. However, if your LAN is not well
firewalled against NetBIOS, it's trivial for external people to pull out
lists of valid users to try and get into your RAS box with, so they'd better
have a better password than their own name or the model of their car.
In summary: The ways in which NT auth sucks shouldn't bother you here, IMO.
The issue is that (I think) you should aim to have an extra layer of
protection for your dialin resources, because they bypass the firewall.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: pdmallya [SMTP:[EMAIL PROTECTED]]
Sent: Friday, April 23, 1999 4:15 PM
To: '[EMAIL PROTECTED]'
Subject: NT authentication
Hi,
How safe or unsafe is NT authentication, especially with a RAS
server used
for dial in? I'm told by some (who I think were not necessarily MS
bashers)
that the security of NT authentication leaves much to be desired.
Information/pointers on why precisely this is so would be welcome.
Regards
Prabhakar D. Mallya
Infosys Technologies Limited, Bangalore (http://www.inf.com/)
E-MAILl: [EMAIL PROTECTED] PHONE: 91 80 8520261 xtn 1156 FAX
91 80
8520362
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
