Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

audit perspective: proof that all connections are encrypted

from [Florin Andrei] Network Security [Permanent Link]
Subject: audit perspective: proof that all connections are encrypted
Date: Thu, 15 Sep 2005 16:05:38 -0700 
I have what's perhaps a slightly unusual question.

Suppose company X is going through an audit (think: SOX). Suppose one of
the questions that the auditors ask is: "we want proof that all your
remote access devices only allow encrypted connections, not plaintext".

With a VPN concentrator, that's easy: you show them the encryption
algorithms that are enabled, show them that plaintext is a disabled
option and they're happy.

But how about openssh? Which is the config item in sshd_config that says
"if the client does not agree with all these encryption schemes, all of
which are not plaintext, terminate the connection"?

Essentially, we have to prove that plaintext is rejected by the server.

Any connection with the Ciphers and MACs options in sshd_config?

Hopefully I'm making myself understood. This is not a strictly technical
question, it's somewhere on the border between technical issues and
legal issues. I need an answer that will satisfy people who are not
geeks - if I'm being sent in the right direction I can build a coherent
response myself (hopefully) but I need a starting point.

I believe that this kind of issue will become more common in the near
future, as the practice of auditing will extend to more and more
companies.

Thanks,

-- 
Florin Andrei

http://florin.myip.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Curious question..., Eddie Howe
Next by Date:  ssh -R only listening on lo, David Wolever
Previous by Thread:  Curious question..., Eddie Howe
Next by Thread:  AW: audit perspective: proof that all connections are encrypted, Miro Dietiker, MD Systems
Indexes:  [Date] [Thread] [Top] [All Lists]