Educause Security Discussion mailing list archives
Re: Risks of File Transfer on a Fully Switched Network
From: "Dunker, Mary" <dunker () VT EDU>
Date: Wed, 30 Nov 2005 09:38:41 -0500
We launched a similar campaign at Virginia Tech, replacing ftp with WebDAV for access to our centrally hosted web servers. The product seems to work well. Mary -------------------------------------------- Mary Dunker Director, Secure Enterprise Technology Initiatives Virginia Tech Information Technology 1700 Pratt Drive Blacksburg, VA 24060 (540) 231-9327 FAX: (540) 231-7413 dunker () vt edu -----Original Message----- From: jack suess [mailto:jack () UMBC EDU] Sent: Wednesday, November 30, 2005 9:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Risks of File Transfer on a Fully Switched Network My own sense is that as wireless becomes more and more widespread on campus the idea of saying you would allow ftp on an intranet "wired" connection but not allow ftp on wireless or extranet connection becomes a helpdesk nightmare. My application worked but then it didn't. Our approach to dealing with ftp is taking the following steps. 1. We will launch a web-based file access system, this will cut down on students who ftp files from their local computer to the university computer (many IT students develop code on their local system but have to run it on a central system). 2. We are migrating our web development users that use dreamweaver to the latest version that supports sftp. 3. For those that will still need ftp access we are setting up a separate ftp server that is only accessible from the vpn network. People who want to continue to use ftp can run the vpn client and get to it through the vpn tunnel. The vpn encryption will protect the unencrypted password to the ftp serve. A big part of this change is user education and communication. The way we have done this with telnet and are doing this with email over ssl is we periodically review syslogs looking for people that connected and then send them an email saying we see they are still using ftp and we want them to know it is going away at the following date. We then point them to a web page to explain how to deal with this and give them a phone number to call if they don't understand how to deal with this message. As the time gets closer to cutoff we become more "forceful" in tone that this service will stop working after the specified date and they should take action. What worked with this process is it only goes to people who should be getting the message and no one claimed they were surprised when it went it was cutoff. Finally, all of that said, if you have a situation where you do a ftp between two internal servers and you can be certain that that network is secured I don't see a problem there. We have a situation where we ftp a file from our old administrative system to another internal server. They are on a restricted network that can't be accessed by regular campus users because of the firewall rules. I'm not losing sleep over that ftp happening in the cleartext. jack On Nov 30, 2005, at 8:19 AM, Chad McDonald wrote: Call me paranoid, but I disagree. We had this debate at GC&SU until I demonstrated the ability to sniff a switched network. Chad McDonald, CISSP Chief Information Security Officer Georgia College & State University Office 478.445.4473 Cell 478.454.8250 ________________________________ From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] Sent: Tuesday, November 29, 2005 2:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Risks of File Transfer on a Fully Switched Network I am being told that the risk of transferring sensitive files over our InTRAnet is so low that we should not require encryption for these internal file transfers. Transferring over the Internet in the clear is clearly a problem, but are others willing to share your position on the transmission of sensitive data in the clear internally (assuming a fully switched network)?? Thanks... Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC Director, IT Security, Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu Office: 401-863-7266 PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB
Current thread:
- Risks of File Transfer on a Fully Switched Network Sadler, Connie (Nov 29)
- <Possible follow-ups>
- Re: Risks of File Transfer on a Fully Switched Network Julian Y. Koh (Nov 29)
- Re: Risks of File Transfer on a Fully Switched Network Ken Layng (Nov 29)
- Re: Risks of File Transfer on a Fully Switched Network Ken Connelly (Nov 29)
- Re: Risks of File Transfer on a Fully Switched Network Russell Fulton (Nov 29)
- Re: Risks of File Transfer on a Fully Switched Network Richard Gadsden (Nov 29)
- Re: Risks of File Transfer on a Fully Switched Network David Gillett (Nov 29)
- Re: Risks of File Transfer on a Fully Switched Network Chad McDonald (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network wcon (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network jack suess (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network Dunker, Mary (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network Gary Flynn (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network Gary Dobbins (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network Huba Leidenfrost (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network Russell Fulton (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network Bradley Ellis (Nov 30)
- Re: Risks of File Transfer on a Fully Switched Network Cal Frye (Dec 01)
- Re: Risks of File Transfer on a Fully Switched Network Scholz, Greg (Dec 01)
- Re: Risks of File Transfer on a Fully Switched Network Gary Dobbins (Dec 01)
- Re: Risks of File Transfer on a Fully Switched Network Robert Kerr (Dec 02)
- Re: Risks of File Transfer on a Fully Switched Network Alan Amesbury (Dec 06)