Surreal's questions

We are installing a vendor-supplied ASP.net application on IIS 7.5, giving access to sensitive customer details for remote access by our staff. I am wondering whether it is necessary to use a VPN to secure it. Using a VPN would be considerably more inconvenient for the staff and provide more access for connected clients to the rest of the network than I would like.

With no VPN, the application would be secured by HTTPS using TLS. The only part of the software that should be accessible to the web at large would be the login page. The application can be set to either use a completely built-in authentication method or Active Directory authentication via NTLM (probably preferably).

I am slightly concerned about the application's security-soundness. The developer has not had any 3rd-party penetration testing done and it appears from my investigation that passwords for the built-in authentication are stored with reversible encryption rather than hashed.

How much additional security do you think using a VPN would offer over relying on HTTPS and the application's authentication? Are the any questions I could ask the developer or ways I could test the application to check for vulnerabilities?

VPN Security Versus Plain Old TLS - Similar question that was useful, but not focused on assessing a supplied application

Hello denizens of Server Fault

I have an irritating problem with a LAN of about 100 computers, 2 Windows domain servers, and 12 VoIP phones. Since their installation around a year ago, every week or so, we notice a VoIP phone resetting itself - occasionally in the middle of a call. Simultaneously there are often signs of temporary loss of connection on computers: freezes in explorer while accessing network shares, errors in our administration software due to loss of connection to the database server.

I have been doing some Wireshark monitoring on the connection between the VoIP PBX and the rest of the network. Wireshark picks up a clump of retransmitted TCP packets at the times when we record phone restarts. The Wireshark log shows about 2 clusters of retransmissions a day ranging from 5 packets to hundreds. Those in each cluster are mainly between the PBX and some set of the VoIP phones, but not always the same set. Often retransmissions at the same time are to phones connected to the same switch, but sometimes retransmissions occur together to phones at opposite ends of the network. There are usually some coincident retransmissions in passing TCP traffic, for example between client machines and the file servers.

The spikes in retransmissions and phone resets do not correlate well with when the network is heavily loaded. They seem to occur slightly more during the day, but most in the evening, when traffic should be decreasing. They occur reasonably often late at night when most computers are turned off and traffic should be lowest.

Do you have any ideas that might help diagnose the cause of problems like this? One thing I have not yet tried, but should have, is updating the firmware of all the switches.