F18 Network Manager VPN technology question

Péter Sólyom-Nagy snagypeter at gmail.com
Thu Apr 25 15:02:12 UTC 2013 

Hi Eric,

Thank you for your reply. That was really informative!

Peter


On Thu, Apr 25, 2013 at 3:52 PM, Eric H. Christensen <
sparks at fedoraproject.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Thu, Apr 25, 2013 at 12:11:25AM +0200, Péter Sólyom-Nagy wrote:
> > Please tell me, what happens if I import a PCF file on the Network
> Manager
> > UI?
>
> I'm not sure we have any specific data on NetworkManager, here.  It would
> be best to contact the developer and discuss your concerns with them.  That
> said, I'll try to address some of your concerns below.
>
> > My PCF file refers to a Cisco VPN using group password.
> > - Is the group password accessible during the import (of course it is
> > otherwise it's useless...)
>
> Yes, it would need to be accessible to the software in order for the
> circuit to be established.
>
> > - How it is decrpyted?
>
> The password (any password) isn't encrypted but rather obsfucated.  I
> don't know exactly what the protocol is but it would be whatever Cisco
> designed.
>
> > - Which programs are involved? (Is any of them so called unsafe?)
>
> I believe NetworkManager has a plugin that it uses for VPN connectivity.
>  I'm not aware of it being "unsafe" but I guess that depends on your
> definition of "unsafe".
>
> > - Where're the passwords stored? (Probably in KWallet)
>
> I'm not sure as they can be stored in several locations depending on how
> your system is setup.  I believe KWallet is default in KDE but that isn't
> necessarily where the information will be stored.  You could create a dummy
> account in your VPN software and go in search of the credentials in KWallet
> and see if they are there.
>
> > - Are the VPN passwords "clear-text" accessible somewhere?
>
> That would depend on how the password is stored (see above).
>
> >
> > I need to prove that using this PCF file is secure on F18 too. The PCF
> file
> > is originating from Windows environment. The publishing company uses
> > official Cisco client.
>
> Well, you can't prove a negative.  Is it safer than using the "official"
> Cisco client?  Probably.  It would appear that the official software
> doesn't have a perfect track record when it comes to security:
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+vpn+client.
>
> >
> > I know that there are tons of sites and apps to decrypt the password,
> but I
> > need to prove that the basic Fedora installation is secure.
>
> Secure against what?  Yes, Cisco didn't do a great job securing their
> "group password" as, like you say, there are many websites out there that
> can decrypt it for you.  The Fedora software must do the same thing, just
> as the Cisco software does, to build the VPN circuit.  Again, you won't be
> able to prove that an installation is secure but you can look to see if it
> is secure against listed attacks or whatnot.
>
> Is the NetworkManager implementation of the Cisco VPN client as secure as
> the Cisco VPN client?  Probably.  Is it more secure than the Cisco VPN
> client?  Probably.  You can look at all the code used in Fedora's
> implementation of the VPN client but you can't do that for Cisco's client
> so you don't know what might be hiding in their code.
>
> Hope that helps.
>
> - --Eric
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQGcBAEBCgAGBQJReTT9AAoJEB/kgVGp2CYv6bEMAJHZXFxk0L5n7f7tEiJttjoM
> Rt9RKq1hzBQmvDZ5TTZXqlCgE75HKRkgILp2COtoKlgRDUpTUMcjDzLmwsdmc1GI
> EOlxyH4ZbsgFYcCRSLHHLFIN/31e4zOOlL6Y6jpCnQnEgbXo0AXWmzblPclSVvLg
> ZlBv3Y93uF3+NWVXgxLV/MOBc0UUSEHl90ujTmsRvH8zZFf5Y07hQ6bFT0ANu5m1
> ARzDDUEdFCGkbPL47oEFGGBYimLO1oez0EqSUC+8jP9svEfRU3Wh43XBSjBContB
> CaBbfYOirrCZdzDhE8MYp+/sNpuwaeJXHXlStOI5nnGmxvn/9kOGxfS/Pu4E82ss
> /NFRtaMmnXZEiNm5qTWugERZwVeniHpn3ZrcU0zMs8/RR55h0VOTK9t+CKOnYqGy
> XK2t7JDIgwJ6kIweYGtGwCoz/UZWRGRfod+yBbjZn1cBeHfY3j5H8jEgdq+5lnD6
> EZO+gw1jWUh8a4Y2rmrnIKJjAz41uM/3dyG2Mb3AFQ==
> =y9v9
> -----END PGP SIGNATURE-----
>



-- 
*Sólyom-Nagy Péter*
snagypeter at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20130425/ab8b1d97/attachment.html>

More information about the security mailing list