F18 Network Manager VPN technology question
Eric H. Christensen
sparks at fedoraproject.org
Thu Apr 25 13:52:00 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, Apr 25, 2013 at 12:11:25AM +0200, Péter Sólyom-Nagy wrote:
> Please tell me, what happens if I import a PCF file on the Network Manager
> UI?
I'm not sure we have any specific data on NetworkManager, here. It would be best to contact the developer and discuss your concerns with them. That said, I'll try to address some of your concerns below.
> My PCF file refers to a Cisco VPN using group password.
> - Is the group password accessible during the import (of course it is
> otherwise it's useless...)
Yes, it would need to be accessible to the software in order for the circuit to be established.
> - How it is decrpyted?
The password (any password) isn't encrypted but rather obsfucated. I don't know exactly what the protocol is but it would be whatever Cisco designed.
> - Which programs are involved? (Is any of them so called unsafe?)
I believe NetworkManager has a plugin that it uses for VPN connectivity. I'm not aware of it being "unsafe" but I guess that depends on your definition of "unsafe".
> - Where're the passwords stored? (Probably in KWallet)
I'm not sure as they can be stored in several locations depending on how your system is setup. I believe KWallet is default in KDE but that isn't necessarily where the information will be stored. You could create a dummy account in your VPN software and go in search of the credentials in KWallet and see if they are there.
> - Are the VPN passwords "clear-text" accessible somewhere?
That would depend on how the password is stored (see above).
>
> I need to prove that using this PCF file is secure on F18 too. The PCF file
> is originating from Windows environment. The publishing company uses
> official Cisco client.
Well, you can't prove a negative. Is it safer than using the "official" Cisco client? Probably. It would appear that the official software doesn't have a perfect track record when it comes to security: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+vpn+client.
>
> I know that there are tons of sites and apps to decrypt the password, but I
> need to prove that the basic Fedora installation is secure.
Secure against what? Yes, Cisco didn't do a great job securing their "group password" as, like you say, there are many websites out there that can decrypt it for you. The Fedora software must do the same thing, just as the Cisco software does, to build the VPN circuit. Again, you won't be able to prove that an installation is secure but you can look to see if it is secure against listed attacks or whatnot.
Is the NetworkManager implementation of the Cisco VPN client as secure as the Cisco VPN client? Probably. Is it more secure than the Cisco VPN client? Probably. You can look at all the code used in Fedora's implementation of the VPN client but you can't do that for Cisco's client so you don't know what might be hiding in their code.
Hope that helps.
- --Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQGcBAEBCgAGBQJReTT9AAoJEB/kgVGp2CYv6bEMAJHZXFxk0L5n7f7tEiJttjoM
Rt9RKq1hzBQmvDZ5TTZXqlCgE75HKRkgILp2COtoKlgRDUpTUMcjDzLmwsdmc1GI
EOlxyH4ZbsgFYcCRSLHHLFIN/31e4zOOlL6Y6jpCnQnEgbXo0AXWmzblPclSVvLg
ZlBv3Y93uF3+NWVXgxLV/MOBc0UUSEHl90ujTmsRvH8zZFf5Y07hQ6bFT0ANu5m1
ARzDDUEdFCGkbPL47oEFGGBYimLO1oez0EqSUC+8jP9svEfRU3Wh43XBSjBContB
CaBbfYOirrCZdzDhE8MYp+/sNpuwaeJXHXlStOI5nnGmxvn/9kOGxfS/Pu4E82ss
/NFRtaMmnXZEiNm5qTWugERZwVeniHpn3ZrcU0zMs8/RR55h0VOTK9t+CKOnYqGy
XK2t7JDIgwJ6kIweYGtGwCoz/UZWRGRfod+yBbjZn1cBeHfY3j5H8jEgdq+5lnD6
EZO+gw1jWUh8a4Y2rmrnIKJjAz41uM/3dyG2Mb3AFQ==
=y9v9
-----END PGP SIGNATURE-----
More information about the security
mailing list