Re: Accessing corporate servers through the web..

["Philip Duldig" <maninwhite () tpg com au>]

> From a naive perspective such as my own:

> (a) Telnet (on a Linux machine): (password is sent in
> clear text, may be captured by a potential hacker,
> any other risks?)
Username and Password for unprivileged user is captured

i.e.: username: bob password: fluffy

simple solution: block telnet. make them use ssh.





FTP (default FTP service on a Linux machine)

FTP exploit is discovered in the FTPd ie:

Denial of Service (you lose the server for a while)

Account/Root exploit (you lose everything)

naughty person uses "bob/fluffy" and gets hold of your "TOP SECRET BUSINESS
PLANS VERSION 4.doc"

> (c) Terminal Services (win 2K server)
Terminal Services RDP 5.0 (thats the 2k version) supports a decent
application layer encryption (from my limited understanding)

which is cool but doesnt stop naughty person using your "bob/fluffy" login
and getting console access to your server (which is actually what terminal
services *is*) and exploiting some strange case your strong group policy
setup missed.



(its sooo easy to miss something trivial that opens up exploitable paths.
securing a console under 2000 is _hard_)



> (d) VNC (win 2K server)

VNC eep.

Well ive not used VNC on a 2k server before but does this not just give a
view/control of the current physical console session? How does it handle
passwords?

Are they kept in sync with your password directory? (yet another silly
program to cycle passwords with otherwise)



I know under linux the VNC server acts like an Xserver and so can host
multiple sessions for each user but does it act like Terminal
Services/Citrix Metaframe under 2k server?



Investigate if it has any application layer security/encryption and make
sure it is not just going to give a yahoo with the password Administrator
access to the console of your server. (Not good.)

If you just want remote access to your console stick to RDP. I find it
slick, fast, clean with clients for most operating systems (handheld,
win16/32, mac, linux) ( not as many as VNC tho. :( )





Im thinking that if you want external daemons to be accessible to the world
you need to set some kind of policy such as NO plaintext logins in any
daemon.

(Get rid of telnet and replace with SSH)

Refuse to provide access to a service if it does not implement application
layer encryption.

(prevent username/password leakage)



Have a look at VPN's?


> Thanks for ur help,
> Rgds



Hope this ranting promotes some kind of discussion?

Thanks folks,



Philip Duldig



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------