[Dshield] General security question

Jonathan G. Lampe jonathan at stdnet.com
Mon Nov 25 21:34:27 GMT 2002


>If it was my network I'd question why they can't just use FTP to transfer 
>files

If you were transferring over the Internet, you would probably want to use 
at least secure FTP (FTPS).  Even if you transfer encrypted files using 
insecure FTP, you are most likely coughing up a username and password in 
clear text every time you move something.

>write them a CD every week or month or whatever frequency they need.

CD's and tapes have their own security problems.  It is easy for anyone to 
steal and/or make a copy of media like this.

>When we have auditors come in
>to our offices, they never get access to the actual digital files.

Auditors I can believe, but speaking as a sometime software author, there 
are times where the only way to get a handle on a bug observed only in the 
field is to get a copy of the file, memory, driver, etc. involved.

>http access o the Internet. Since this traffic is all valid, according
>to our network structure (proxy, firewalls, etc), and because the
>traffic is SSL I cannot see what is really happening. Can I take any
>further steps to protect our internal network?

Here's an easy thing to do to at least limit the hosts your auditors can 
access:
Find out to which IP addresses or hostnames these auditors need to 
go.  Then put these auditors (or maybe all third-party dial-up people) in 
their own special dial-up group.  Then...you can write an IP-to-IP ruleset 
in your firewall to make sure these people only go back to the servers that 
they should.

You should also find out if the servers your auditors are accessing are 
Internet exposed or otherwise somewhat "public" (i.e. shared among 100 
different clients).  If this is the case, I would demand that the 
information stored on those publically-available servers be encrypted at 
rest.  (If you are involved in health care or financial services industry, 
you've probably heard this one before.)  As others have suggested on this 
thread, secure transport (i.e. SSL, SSH) by itself is only half the battle!

(We can chat offline if you want to discuss various vendors.)

- Jonathan Lampe
- jonathan at stdnet.com




More information about the list mailing list