Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Risks of File Transfer on a Fully Switched Network

From: "Dunker, Mary" <dunker () VT EDU>
Date: Wed, 30 Nov 2005 09:38:41 -0500
We launched a similar campaign at Virginia Tech, replacing ftp with
WebDAV for access to our centrally hosted web servers. The product seems
to work well.
Mary
 
 

-------------------------------------------- 
Mary Dunker 
Director, Secure Enterprise Technology Initiatives 
Virginia Tech Information Technology 
1700 Pratt Drive 
Blacksburg, VA 24060 
(540) 231-9327 
FAX: (540) 231-7413 
dunker () vt edu 

        -----Original Message-----
        From: jack suess [mailto:jack () UMBC EDU] 
        Sent: Wednesday, November 30, 2005 9:13 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Risks of File Transfer on a Fully
Switched Network
        
        
        My own sense is that as wireless becomes more and more
widespread on campus the idea of saying you would allow ftp on an
intranet  "wired" connection but not allow ftp on wireless or extranet
connection becomes a helpdesk nightmare. My application worked but then
it didn't. 

        Our approach to dealing with ftp is taking the following steps.

        1. We will launch a web-based file access system, this will cut
down on students who ftp files from their local computer to the
university computer (many IT students develop code on their local system
but have to run it on a central system).

        2. We are migrating our web development users that use
dreamweaver to the latest version that supports sftp.

        3. For those that will still need ftp access we are setting up a
separate ftp server that is only accessible from the vpn network. People
who want to continue to use ftp can run the vpn client and get to it
through the vpn tunnel. The vpn encryption will protect the unencrypted
password to the ftp serve.

        A big part of this change is user education and communication.
The way we have done this with telnet and are doing this with email over
ssl is we periodically review syslogs looking for people that connected
and then send them an email saying we see they are still using ftp and
we want them to know it is going away at the following date. We then
point them to a web page to explain how to deal with this and give them
a phone number to call if they don't understand how to deal with this
message. As the time gets closer to cutoff we become more "forceful" in
tone that this service will stop working after the specified date and
they should take action. What worked with this process is it only goes
to people who should be getting the message and no one claimed they were
surprised when it went it was cutoff.  

        Finally, all of that said, if you have a situation where you do
a ftp between two internal servers and you can be certain that that
network is secured I don't see a problem there. We have a situation
where we ftp a file from our old administrative system to another
internal server. They are on a restricted network that can't be accessed
by regular campus users because of the firewall rules. I'm not losing
sleep over that ftp happening in the cleartext.

        jack
        
        On Nov 30, 2005, at 8:19 AM, Chad McDonald wrote:


                Call me paranoid, but I disagree.  We had this debate at
GC&SU until I demonstrated the ability to sniff a switched network.  
                 
                Chad McDonald, CISSP
                Chief Information Security Officer
                Georgia College & State University
                Office    478.445.4473
                Cell       478.454.8250
                 

________________________________

                From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] 
                Sent: Tuesday, November 29, 2005 2:28 PM
                To: SECURITY () LISTSERV EDUCAUSE EDU
                Subject: [SECURITY] Risks of File Transfer on a Fully
Switched Network
                
                


                I am being told that the risk of transferring sensitive
files over our InTRAnet is so low that we should not require encryption
for these internal file transfers. Transferring over the Internet in the
clear is clearly a problem, but are others willing to share your
position on the transmission of sensitive data in the clear internally
(assuming a fully switched network)??

                Thanks... 

                Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC 
                Director, IT Security, Brown University
                Box 1885, Providence, RI 02912
                Connie_Sadler () Brown edu
                Office: 401-863-7266 
                PGP Key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> 
        
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB> 
                PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA
91E3 8EFB
Previous By Date Next
Previous By Thread Next

Current thread: