Case 695201: Problems with VPN and checking mail ON campus

[Jonathan Reed]

(client dropped from CC list)


>The client needs to use VPN on campus because a short while ago 
>their department had an IT Audit and found that since they are 
>running a Filemaker 5 server they were sending sensitive data over 
>the network in cleartext. The auditor suggested to use VPN to 
>encrypt that data.

That may not do any good.  The VPN will encrypt the data between the 
client machine and W92.  Once in W92, it's back in clearttext and is 
going over the network to wherever the FileMaker server is.  If the 
server is in a server room, that's ok, since it's unlikely anyone 
will be sniffing backbone traffic.  If the server is in their 
department, however (ie: on the same network as the client's 
machine), the data will still be in cleartext and this will 
accomplish nothing.

>After testing for a while I think I figured out the problem. 
>Essentially the ability to get "Address-less Tickets" on the mac 
>does not exsist.

Yes it does.  In the Kerberos utility (/Applications/Utilities, if 
you installed Kerberos Extras), there's a checkbox for "Always get 
addressless tickets".  I think it's even checked by default these 
days (as of 10.3, anyway).

Of course, mail uses krb4 for either IMAP or POP, and krb4 has no 
concept of addressless tickets.  I do wonder, though, why, when a CFM 
application (like Eudora) gets an "incorrect network address" error, 
the tickets are destroyed.  Can't it check to see if the v5 tickets 
are addressless and if so, destroy the v4 ones and get new ones? 
(Does it use krb524?)

-Jon


-- 
-------------------
Jonathan Reed

jdreed at mit.edu
-------------------