Steve, What is the real story with 4.5? I tried getting an upgrade without sucess. Your email signature indicates you are the product manager for AXENT ESM. According to Axent technical support ESM 4.4 is the latest GA version of ESM. ESM 4.5 is not the product shipped to customers who order ESM today. Support could not tell me how to receive a copy of 4.5. This conflicts with your claims that ESM 4.5 with security fixes has been shipping since March of 1998 and this still leaves my network vulnerable to someone modifying binaries and spoofing the CRC checksums. IMHO, leaving the CRC file checksums and just adding the MD5 as an option in future versions of ESM may not be clear to most customers that CRC's can be easily spoofed and are weak checksums. Is there any reason you don't make MD5 the default requirement if you are doing checksums and remove CRC's? Maybe you can provide clarifications on where to get the security fixes for ESM 4.5 to make it secure? Your tech support needs the information as well. Steve Jackson Claims > We at AXENT agree that CRC hecks Steve Jackson Claims > are not as secure as our Steve Jackson Claims > customer base would desire. Steve Jackson Claims > Thus, we have added the MD5 (128 Steve Jackson Claims > bit) check to ESM. This shipped Steve Jackson Claims > in the ESM 4.5 product in March Steve Jackson Claims > of 1998. Now our customers can Steve Jackson Claims > choose to run either CRC or MD5 Steve Jackson Claims > according to their needs. Steve Jackson Claims > Steve Jackson Claims > I want to respond to comments Steve Jackson Claims > regarding the use of XOR within Steve Jackson Claims > ESM 4.4 as a method of hiding Steve Jackson Claims > communications between servers Steve Jackson Claims > and remote clients. I would Steve Jackson Claims > like you to know that the method Steve Jackson Claims > employed is not just XOR logic, Steve Jackson Claims > but XOR combined with standard Steve Jackson Claims > 40 bit data hiding technology. Steve Jackson Claims > Steve Jackson Claims > We at AXENT recognized that this Steve Jackson Claims > methodology was not as secure as Steve Jackson Claims > desired. We have enhanced Steve Jackson Claims > the communications security Steve Jackson Claims > between servers and clients to Steve Jackson Claims > utilize a Diffie-Helman key for Steve Jackson Claims > the session, combined with Steve Jackson Claims > encrypting every packet across Steve Jackson Claims > the wire using DESX encryption. Steve Jackson Claims > This has been available since Steve Jackson Claims > ESM 4.5 shipped in March of Steve Jackson Claims > 1998. In addition to this, Steve Jackson Claims > communications handshaking Steve Jackson Claims > occurs at the initiation of Steve Jackson Claims > every communication sequence Steve Jackson Claims > between client and server. Steve Jackson Claims > Steve Jackson Claims > Steve Jackson Steve Jackson Claims > AXENT Technologies -- Dan Cupp System Administrator UNIX / PERL Ninja! --------------------------------------------------- Get free personalized email at http://www.iname.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:39 PDT