Re: Secure protocols

[Jere Retzer <retzerj () OHSU EDU>]

Do you consider sFTP and SCP roughly equivalent? Is one better than the
other? WinSCP certainly seems to work well. Thanks

> > > jloter () ENGR WASHINGTON EDU 7/19/2004 11:19:37 AM >>>
We're in the midst of a departmental security policy exercise and
SSL/SSH/sFTP requirements will be a part of it. The University of
Washington campus already requires SSH for access to its administrative
systems and sFTP for non-anonymous FTP.

The UW's policy on sFTP is here
http://www.washington.edu/computing/security/secureftp.html.

The "Notes for Specific Situations" part of the document details some
of the client install/use issues that might crop up.

The more general policy covering secured access to admin systems is
here:

http://www.washington.edu/computing/security/software.html

Implementation here has been facilitated by campus centrally funding
and making available the required client software, setting itself up as
a certificate authority, and providing a central Kerberos-based
authentication system.

At the department level, we run some shadow database systems and FTP
servers that we are now planning to secure. Since clients already have
access to the required software, we just need to get certificates
installed, update connectivity documentation (and create some where none
exists), hand-hold some users, and then eventually shut off the insecure
services. The services and policies at place at the UW level have made
this pretty easy for us in the departments.

Software with strong encryption carries with it export restrictions so
you'll want to check with the legal office at your University to see
what they make of the implications of that for traveling faculty,
exchange students, etc. Also, we've had some cases where some federal
grants specifically require compliance with International Traffic in
Arms Regulations (ITAR), and go so far as to prohibit foreign nationals
from exposure to crypto technologies.
If the policy goes so far as to include encryption of "data at rest"
(e-mail messages, data in databases, etc.) you'll need to reconcile the
policy with open records laws and other University policies regarding
ownership, retrievability, and archiving of public data. At the user
level, users need to know that they don't "own" their e-mail and they
must provide IT staff (or some other authority) the necessary encryption
keys to unlock data in response to an open records request. If your
institution does any routine monitoring of user e-mail and other data,
you need to consider that, as well as what happens if a staff or faculty
member is terminated and doesn't turn over their encryption key.

Good luck with the policies!

Jim
====================================
Jim Loter
Director of Computing Services
University of Washington College of Engineering
70e Wilcox Hall - Box 352180
Seattle, WA 98195
Phone: 206-543-1791 ~ Fax: 206-543-1018
====================================


----- Original Message -----
From: Slade Griffin
Sent: 7/16/2004 4:33 PM
Hey everyone,        Does anyone have a policy about not using insecure
protocols likeFTP or Telnet and using only SFTP and SSH?  I would also
like to know howdifficult implementation was.  Thanks in AdvanceSlade
Griffin, GCIH, CHP, CHSSISOUniversity of
Tennesseehttp://oit.utk.edu/infosec**********Participation and
subscription information for this EDUCAUSE Discussion Group discussion
list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.