Hi Mike, Donna and All :)
Donna's idea is excellent sounding and has several things to consider
embedded in it...
Remember, Anonymous FTP is bad from a security point of view... It is
a bunch of work.. but set up ways to log in with contractual agreements
governing who will track who at the other end used the login from their
end... And make a practice of keeping copies of the firewall logs that
show what IP address connected with the FTP server...You do keep copies of
the firewall logs right? hehe
Just a thot :)
Art "returning to the audit work now ... " Bahrs
=======================================================
Art Bahrs, CISSP Information Security The Regence Group
(503) 553-1425 FAX (503) 553-1453
|---------+-------------------------------->
| | "donna garverick" |
| | <donna_garverick@yaho|
| | o.com> |
| | Sent by: "HP-3000 |
| | Systems Discussion" |
| | <[log in to unmask]
| | DU> |
| | |
| | |
| | 09/13/2004 10:19 AM |
| | Please respond to |
| | i_hate_spam |
| | |
| | |-------------------||
| | | [ ] Secure E-mail ||
| | |-------------------||
|---------+-------------------------------->
>--------------------------------------------------------------------------------------------------------------------------|
| |
| To: [log in to unmask] |
| cc: |
| Subject: Re: [HP3000-L] FTP to HP3k and security |
>--------------------------------------------------------------------------------------------------------------------------|
--- "Baker, Mike L." <[log in to unmask]> wrote:
> I have not had a chance to test any of this, but I thought I would
> ask the question first. I'm sure someone else has had to deal with
> this. We daily have a sun unix server ftp files to the hp. There is
> no password setup on the group.accounts that ftp logs in too (we are
> talking more than one client [i.e.group.account] here). As part of
> our sarbains/oxley fun and games, we have to secure the hp. When we
> do implement security on the hp, either all mpe security and/or with
> security/3000, I am assuming that ftp (into the hp) will get asked
> the password after the group.account is entered, if one has been
> implemented, correct? I guess what I am getting at, is can ftp into
> the hp be allowed to not need to enter a password, even though a user
> logging into the hp with vt-mgr or serial would need to.
rather than worry about how to HARDCODE this into a process on your sun
box....do strongly consider using .netrc files.
if nothing else, when passwords get hardcoded into jobs (a bit of a
concept on unix boxes :-) they're nearly impossible to update when the
time comes to change passwords. in a lot of cases, the only way to
flush them out is to see what fails after the passwords are changed!!
since password changing is a part of sar-ox....the more up-front
thought you give to this now, the happier you'll be in the future.
for folks that have used dscopy forever and ever...i'm willing to bet
that many of you encapsulated the logon into a stand-alone file. you
may have even gone so far as to put this file into a secure group. i
know we did/do and it's a clean and secure way of enabling different
production needs and yet keep passwords safe.
netrc files are essentially no different. since it is unix you do need
to pay attention to the rwx on the file and directory.
fwiw, mpe's ftp uses netrc files as well. they can be regular mpe
files (that is, they don't have to be named with a leading dot). if
they're in a group other than the initator's home group...all that you
need is a file equation that includeds the home group on the left-hand
side.
one nice feature of netrc files is that they can include multiple
locations. for example, i have a (mpe) netrc file name 'netrcall' that
includes logons for all the boxes that i need to go to. real nice :-)
hth - d
=====
Donna Garverick Sr. System Programmer
dgarverick -at- longs -dot- com
925-210-6631 Longs Drug Stores
Come, my friends, 'Tis not too late to seek a newer world.
Tho' much is taken, much abides; and tho'
We are not now that strength which in old days
Moved earth and heaven, that which we are, we are.
"Ulysses", A. Tennyson
>>>MY opinions, not Longs Drug Stores'<<<
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
=============================================================================
IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
=============================================================================
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
