[Dshield] General security question
Jonathan G. Lampe
jonathan at stdnet.com
Mon Nov 25 21:34:27 GMT 2002
>If it was my network I'd question why they can't just use FTP to transfer
If you were transferring over the Internet, you would probably want to use
at least secure FTP (FTPS). Even if you transfer encrypted files using
insecure FTP, you are most likely coughing up a username and password in
clear text every time you move something.
>write them a CD every week or month or whatever frequency they need.
CD's and tapes have their own security problems. It is easy for anyone to
steal and/or make a copy of media like this.
>When we have auditors come in
>to our offices, they never get access to the actual digital files.
Auditors I can believe, but speaking as a sometime software author, there
are times where the only way to get a handle on a bug observed only in the
field is to get a copy of the file, memory, driver, etc. involved.
>http access o the Internet. Since this traffic is all valid, according
>to our network structure (proxy, firewalls, etc), and because the
>traffic is SSL I cannot see what is really happening. Can I take any
>further steps to protect our internal network?
Here's an easy thing to do to at least limit the hosts your auditors can
Find out to which IP addresses or hostnames these auditors need to
go. Then put these auditors (or maybe all third-party dial-up people) in
their own special dial-up group. Then...you can write an IP-to-IP ruleset
in your firewall to make sure these people only go back to the servers that
You should also find out if the servers your auditors are accessing are
Internet exposed or otherwise somewhat "public" (i.e. shared among 100
different clients). If this is the case, I would demand that the
information stored on those publically-available servers be encrypted at
rest. (If you are involved in health care or financial services industry,
you've probably heard this one before.) As others have suggested on this
thread, secure transport (i.e. SSL, SSH) by itself is only half the battle!
(We can chat offline if you want to discuss various vendors.)
- Jonathan Lampe
- jonathan at stdnet.com
More information about the list