[unisog] AUPs re FTP and Telnet

Daniel R Jones Dan.Jones at Colorado.EDU
Thu Jul 5 22:26:16 GMT 2007


Just to follow-up on the comments from Jim and Valdis.  Obsoletely  
there can be valid business reasons for unencrypted protocols  
particularly for research and education.  The key point here is that  
we ask for these to be handled by an exception process.  Rather than  
allowing FTP by default for example we ask that departments contact  
the security group to discuss the risk in granting the exception.    
In addition to solving individual business or technical needs as  
Valdis points out to force the change is a huge communications  
effort.  If you create the policy but do not successfully communicate  
the policy requirements your policy will not be effective.  You may  
also have to target communications down to the individual user and  
system owner so that you do not break critical business needs.     
Depending on your environment this may be a challenge requiring that  
you build new communication mechanisms.

--
Dan Jones, CISSP
Director, Campus IT Security Office
University of Colorado at Boulder

On Jul 5, 2007, at 3:05 PM, Valdis.Kletnieks at vt.edu wrote:

> On Thu, 05 Jul 2007 14:27:08 MDT, Jim Dillon said:
>> The University of Colorado at Boulder restricts the use of any
>> non-encrypted authentication on its network - therefore FTP and  
>> Telnet
>> are not typically allowed.
>
> Just make sure that you remember to allow for the fact that some  
> places
> *do* use 'anonymous FTP' for things like software distribution/ 
> download,
> and I've seen more than one place that used 'telnet to a captive  
> program'
> to do things like library card catalog lookups and other things  
> that didn't
> require authentication.
>
> Also, remember that the FTP and telnet protocols *can* be on  
> different ports
> than you usually expect....
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list