[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TR: [FW1] User authentification

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: TR: [FW1] User authentification
From: Bourque Daniel <Daniel.Bourque@loto-quebec.com>
Date: Sun, 2 May 1999 11:35:48 -0400

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]



I know about the vulnerability but it still is better then clear text.  It
also help that this is a switch network so in fact only where we still have
hub can a password can be capture.

The real objection finally is that once peoples are use to enter their NT
username and password in the IE pop-up box, they will do it for any pop-up
request once they are on the internet (most people would not check where the
request come from) and now you have the risk of leaking their password in
the open.

As for one-time password, we use that for some system but distributing and
training 5000 users is something else.  I suppose we will all have to do
that one day but it would have to be a single logon system that cover all
system.  No way I would use secur-id logon on all the system I connect to
every day.

Thank you for your help.

Daniel

-----Message d'origine-----
De: Dameon D. Welch [mailto:dwelch@hotmail.com]
Date: 1 mai, 1999 21:13
À: Bourque Daniel; fw-1-mailinglist@lists.us.checkpoint.com
Objet: Re: [FW1] User authentification



> This is for internal user accessing the Internet.  We are now using static
> password store on the FW.  I would like to use NT password using a Radius
> Server to authenticate but with that setup, NT password would travel in
> clear (from the user to the fw, Fw to Radius is encrypted, I know...).

You realize, of course, that the encryption that NT uses for its passwords
is quite crackable. Go check out the l0pht's website http://www.l0pht.com
and look at l0phtcrack, an NT password cracker.

> The question is: is it possible to use HTTPS as an interface for
> authentication instead of HTTP and if yes, How...  This is really for HTTP
> users.

There does not appear to be a way to do that. I still think one-time
passwords is the way to go here.

-- PhoneBoy


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Re: One for the FAQ -- LogSwitch Issue
Next by Date: RE: [FW1] FW4 SP2
Prev by thread: [FW1] Re: One for the FAQ -- LogSwitch Issue
Next by thread: RE: [FW1] FW4 SP2
Index(es):
- Date
- Thread