> From: [email protected] [mailto:[email protected]] > On Behalf Of Ryan > > A whole mess of things to consider. If you have a person with a security > related-degree or has done work like this bring them in. It is more > complicated than just "running a scan".
I unfortunately have a very low opinion of somebody being a "security expert," brought in to do scans. For PCI compliance, one of my clients needs to submit to a security company to periodically scan them. Until I cam along, they had a PPTP vpn server which was actually insecure, with weak encryption protocols, and everyone using a shared password based on the company name. I threw it away and put up an IPsec vpn server instead, which was actually secure. Then the security scanning folks started triggering alerts for us - "You're using IPSec aggressive mode with PSK. We don't know if you're using a strong key." So I wrote them a letter explaining 256 bit random key selection, which cleared the alert but only temporarily. We will need to resubmit that letter every 3 months in order to keep the IPSec available. So I threw it out and build an SSL vpn. They can scan and see our key strength automatically. Then they started throwing a new alert, "Site certificate domain name mismatch," which is false. We used a wildcard cert *.domain.com, where the vpn server is vpn.domain.com. But their stupid script only knows our IP address, not our dns name. I tried writing them a letter to say what our dns name is, but they don't have any way of recording it. Their stupid script can only know your IP address, and from it, must be able to autodetect your dns name. They say this corresponds to intrusions that have been reported "in the wild," which is pure for the sake of making the customer stop arguing about it. Our choices are to either replace the wildcard cert with a single-dns-name cert (so their script can autodetect our dns name) or get the ISP to configure reverse dns. So, thanks to their security scan, I opted to downgrade from the wildcard cert to a free cert with explicit dns name. I see stuff like this all the time. They have dumb flags that trigger alerts, and the process is about jumping through hoops, rather than actually making intelligent security decisions. Oh - the PCI complaince firm - they only bother scanning the external IP of our software development center. Don't even bother scanning our production web-facing servers. Very, very moronic and not representative of actual security. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
