[unisog] AUPs re FTP and Telnet
Daniel R Jones
Dan.Jones at Colorado.EDU
Thu Jul 5 22:26:16 GMT 2007
Just to follow-up on the comments from Jim and Valdis. Obsoletely
there can be valid business reasons for unencrypted protocols
particularly for research and education. The key point here is that
we ask for these to be handled by an exception process. Rather than
allowing FTP by default for example we ask that departments contact
the security group to discuss the risk in granting the exception.
In addition to solving individual business or technical needs as
Valdis points out to force the change is a huge communications
effort. If you create the policy but do not successfully communicate
the policy requirements your policy will not be effective. You may
also have to target communications down to the individual user and
system owner so that you do not break critical business needs.
Depending on your environment this may be a challenge requiring that
you build new communication mechanisms.
Dan Jones, CISSP
Director, Campus IT Security Office
University of Colorado at Boulder
On Jul 5, 2007, at 3:05 PM, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 05 Jul 2007 14:27:08 MDT, Jim Dillon said:
>> The University of Colorado at Boulder restricts the use of any
>> non-encrypted authentication on its network - therefore FTP and
>> are not typically allowed.
> Just make sure that you remember to allow for the fact that some
> *do* use 'anonymous FTP' for things like software distribution/
> and I've seen more than one place that used 'telnet to a captive
> to do things like library card catalog lookups and other things
> that didn't
> require authentication.
> Also, remember that the FTP and telnet protocols *can* be on
> different ports
> than you usually expect....
> unisog mailing list
> unisog at lists.dshield.org
More information about the unisog