[unisog] AUPs re FTP and Telnet

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sat Jul 7 01:52:03 GMT 2007


On Thu, 05 Jul 2007 16:26:16 MDT, Daniel R Jones said:
> Just to follow-up on the comments from Jim and Valdis.  Obsoletely  
> there can be valid business reasons for unencrypted protocols  
> particularly for research and education.  The key point here is that  
> we ask for these to be handled by an exception process.  Rather than  
> allowing FTP by default for example we ask that departments contact  
> the security group to discuss the risk in granting the exception.    

Note that making a *policy* that says "No unencrypted authentication on the
network" is *just fine* for the anonymous FTP/telnet cases, because they don't
actually transmit any authentication info.  And I think it would be a *fine*
thing to have a policy that says that, because you can cover every protocol in
the same sentence.  Saying "No FTP/telnet" is however a loser of a policy
decision, because then each department that wants to have an anonymous FTP
server has to be treated as a *policy* exception.  If you say "No unencrypted
authentication", then an anonymous FTP site isn't an actual policy exception,
just something to whitelist in your policy-enforcing tools (which is
*hopefully* a lot easier to handle for any sane policy/enforcement system).

And as always, writing the policy is easy, enforcing it is hard.  I've seen
enough sites that do silly things like:

telnet://cokemachine.your-dept.randomschool.edu:8181 for info on machine status
and beverage temperature.

Yee. Hah. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070706/be163a83/attachment.bin 


More information about the unisog mailing list