LISTSERV - HP3000-L Archives

HP3000-L Archives

October 2002, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 2002, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Keeping History Alive
From:	Gavin Scott <[log in to unmask]>
Reply To:	Gavin Scott <[log in to unmask]>
Date:	Tue, 8 Oct 2002 09:55:15 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (56 lines)

Tom writes of telnet:
> Short answer: no (reason: passwords are "in the clear", as well as the
> actual data for that matter)  For this reason, many people who deal with
> "servers" are turning to ssh.

It's my impression that ssh implementations seem to have one critical
security hole every month or two, and I can't recall the last time I heard
of a problem with telnet.

Telnet exposes passwords to people along your network path.  If someone
wants to attack your system they have to get into this path to intercept
your passwords.  Easy for an insider at your facility, but extremely
difficult for an arbitrary internet user.

An ssh security hole on the other hand will expose your system to compromise
from every internet node in the world.

In my opinion, ssh is at least ten times more dangerous than simple telnet,
at least as things stand now, due to its extreme complexity and a history of
security holes.

For someone setting up a remote-hosting environment, I think a good solution
would be to use routers at each end that support IPSec VPNs, possibly in
combination with a traditional Microsoft VPN-style service for mobile-user
access.

The router-based solution allows two networks to be interconnected securely,
and I believe one router at the hosting site could support multiple IPSec
VPNs at the same time, allowing multiple customers to be supported.  This
might be a fairly expensive Cisco box though.

A router-to-router IPSec VPN is basically the internet equivalent of a
traditional dedicated "leased line" connection.  It would not require any
changes to the client computers at the customer end, and no changes in user
procedures.

A Microsoft VPN server would allow roaming client systems to access the
hosted server, albeit at the cost of having to install and operate the VPN
client software on the client PC in order to connect to the server.

Of course the Microsoft VPN server (like ssh) is a complex implementation,
and a bug was reported a few days ago that potentially allows an attacker to
get into your VPN server by exploiting flaws in the Microsoft PPTP
implementation, at least in Win2K and WinXP.  So you have to stay on top of
the security patches no matter what you use.

For a company providing hosting services, an additional issue becomes that
of hosting two companies that are competitors of each other, where providing
isolation between two customer environments can be as important to the user
as isolation from the internet in general.

G.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU