April 2nd, 2006

IT Commandment: Thou shalt not use nonsecure protocols on thy network

Posted by Marc Orchant @ 7:49 am

Categories: Software

Tags:

You may have noticed recent posts from some of the ZDNet bloggers in a series we’re calling IT Commandments. Here’s a commandment for any of you responsible for administering your company’s network: Turn off Telnet and FTP and use secure protocols to provide access through the firewall.

Telnet and FTP are two of the oldest net protocols and they date back to a simpler time when script kiddies, bots, and viruses were theoretical problems, not everyday facts of life. If you have responsibility for protecting your network, data, and users from all of the badware, and the bad people who create it, operating on the public network, you need to close as many ports on your firewall as possible and exercise control over who and what gets inside.

How you do this is less critical than that you do it. Many organizations use a Virtual Private Network (VPN) to create a secure tunnel through the firewall. The recent proliferation of SSL-based VPNs has eliminated a lot of the cost and complexity of this approach. As the ability to present application-level capabilities in the browser continues to mature, these less expensive VPNs will continue to grow in popularity compared to solutions that use proprietary clients.

Secure Shell (SSH) is another option. Whether you use OpenSSH, the open source implementation of the protocol bundled with virtually every *NIX operating system (including Mac OS X) or a commercial alternative, SSH2 (the current protocol standard) is a software-only alternative that provides encryption, authentication, and data integrity to data through a single port on your firewall. SSH2 provides remote access, file transfer, ad data tunneling services. (Disclosure: In my "day job" I work for VanDyke Software which develops, sells, and supports SSH clients and servers for Windows and a variety *NIX platforms).

There are other approaches. Small businesses and free agents often use something like GoToMyPC to access a desktop PC while on the road or at a client site. Microsoft offers a Small Business Server (SBS) bundle which delivers a lot of value for a relatively small investment to smaller organizations. SBS includes Exchange Server, SQL Server, and Windows Server 2003, all of which have the ability to enforce authentication using encrypted passwords, digital certificates, and other methods.

As I said, it matters less how you do it than that you do it. Providing unfettered access to your network or allowing protocols that send unencrypted data are risks you simply cannot afford. If you do need to provide public FTP access, put that server outside your firewall in a DMZ and access it using a secure connection from inside your network. Restrict Telnet use to inside the firewall only if you must use it. Tunnel all TCP/IP application data through a VPN or SSH connection.

Finally, explain your security policies in plain English to every user on your network. Security shouldn’t be a black art or the sole province of network administrators. Phishing and other social engineering techniques can compromise the best technology decisions you can make. educate your organization about why security is so important and how every person can help to reduce the availability of a human vector to potential attackers.

Go forth and be secure.

1. Thou shalt not outsource mission critical functions
2. Thou shalt not pretend
3. Thou shalt honor and empower thy (Unix) sysadmins
4. Thou shalt leave the ideology to someone else
5. Thou shalt not condemn departments doing their own IT
6. Thou shalt put thy users first, above all else
7. Thou shalt give something back to the community
8. Thou shalt not use nonsecure protocols on thy network
9. Thou shalt free thy content
10. Thou shalt not ignore security risks when choosing platforms
11. Thou shalt not fear change
12. Thou shalt document all thy works
13. Thou shalt loosely couple