Re: IMAP server security vulnerability

Hi Arne,

They should be running with normal privs (possible NETMBX and TMPMBX).

I'd be interested in hearing the experiences of others who've found the need
to run their servers or servlet-containers at higher privileges.

And for those of you who like VMS Auditing; how do you feel about the
Server's username being logged against the audit logs for failed access
attempts rather than the Client's username? Or wouldn't it be nice to have a
trigger on an Rdb database table that could log the table access into an
auditing table using the Session User Intrinsic rather than the System User?

If it is web yes.

Not necessarily!

HTTPS for transport encryption and a oldfashioned username/password
is common.

How is the username/password presented to the web-service? (In the
wsse:token stuff, or plucked out of the URL, or passed as parameters?)

If you are to the advanced stuff you use WS-S, which is signing and
encryption at the message level instead of at the transport level.

Ok, but can you explain a little more about the
WS-Authorization/Authentication mechanisms involved? I guess I was asking
Jan-Erik which method his SOAP implementation was using to pass
Client-Authorization so that we could at least have a real world SOAP
example. (Anyone been able to find examples on the HP/VMS site?)

The gSOAP site says that gSOAP supports WS-Security and unless Jan-Erik's
client doesn't request much except read-only Google-maps or "Give me the
weather forcast" stuff, I'm guessing that the target of his SOAP-call would
want to validate that a) the client is who he says he is, and b) that he's
authorized to perform the requested action on the requested data. I, for
one, am very interested in the codepath for how this is being achieved!

Do you have to pass authorization for each SOAP call, or are you aiming for
a Single-Sign-on mechanism like SAML? The term "Security Interceptors"
sounds interesting also.

As long as our System Managers are abrogating our control over our servers,
data, and security, I'd just like to know a bit more.

Who is your "Identity Provider"? How much does it cost? How long do the
identities live? How do you prevent Identity-Hijacking a la mode de
JavaScript Session-Hijacking? How could one integrate the Identity-providers
"Identity" with our VMS Usernames?

How many of you are working on, or have even seen (website please), an
application that combines update functionality (not
news/sports/weather-aggregators or language translators) from two or more
disparate, heterogenous SOAP servers and RPCs? WS-AT? "Business Activity"
transactions? BEA got a debit/credit thing happening with OracleiAS
somewhere?

Wanting point-to-point access from you to your bank-account is just too
pedestrian I guess? Having the bank make the account transfers at the
back-end rather than parking your Universal Currency Units temporarily in a
Business Facilitator with compensatory-transaction skills, is clearly the
way of the future. . .for some.

SOAP by OASIS - talk about a horse designed by commitee :-(

Cheers Richard Maher

.. . .And a Merry Christmas to and and all!

"Arne Vajhøj" <arne@xxxxxxxxxx> wrote in message
news:476d860f$0$90267$14726298@xxxxxxxxxxxxxxxxxx
Richard Maher wrote:
What if the login attack was successful; is the last login time(s)
updated?

I am not so convinced that it should.

POP3 and IMAP4 are not really a login and will happen very frequently.

If you have a PC fetching POP3 email every 60 seconds, then I would say
that having that update last non interactive login decreases security.

What privileges do your Apache, Tomcat, PHP, Python, and WASD, servers
run
under?

Python is not a server (servers written in Python do exist though).

They should be running with normal privs (possible NETMBX and TMPMBX).

Do all these servers assume the VMS persona of the client before
attemting
to access file/devices etc?

Obviously not. Since login is not always required or even possible if
it is to be public to everyone.

If we all continue to ignore Session-Hijacking do you reakon it'll go
away?

Cookies, Session Ids, Expiration Dates - that's what VMS is all about
these
days :-(

If it is web yes.

What's the authentication module for SOAP? Jan-Erik? Still HTTPS or is
that
not part of the specification?

I do not think I have ever heard of anyone doing web service
authentication via HTTPS and client certficate.

HTTPS for transport encryption and a oldfashioned username/password
is common.

If you are to the advanced stuff you use WS-S, which is signing and
encryption at the message level instead of at the transport level.

Arne


.

Relevant Pages

  • Re: [fw-wiz] Defense in Depth to the Desktop
    ... > network hardware mechanisms. ... The Strong Internal Network Defense ... The client subnet and the server ... Servers are allowed to reply to clients, ...
    (Firewall-Wizards)
  • [fw-wiz] Defense in Depth to the Desktop
    ... network hardware mechanisms. ... controls is highlighted when the internal network and systems suffer ... The client subnet and the server ... Servers are allowed to reply to clients, ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Defense in Depth to the Desktop
    ... Sounds a lot like Domain Based Security (not Windows 'domains', ... > network hardware mechanisms. ... The client subnet and the ... Servers are allowed to reply to clients, ...
    (Firewall-Wizards)
  • Re: What doesnt lend itself to OO?
    ... objects need to be explicitly maintained....thus the rise of stateless ... of state largely the responsibility of the client. ... object only exists on 1 out of n servers the load balancer needs to ...
    (comp.object)
  • Re: 1058 and 1030 errors revisited
    ... Are you sure about the symptoms ie when the11th or 12th user logs ... Does the issue occour only on some machines? ... We have four servers to ... There are about sixty client ...
    (microsoft.public.windows.group_policy)