Everthing Old is New Again, and More Secure
|Main||Elsewhere||The Week in CrossNodes||The Week in Network News|
We had a moment when we spotted a fresh report of FTP in the wild. Like telnet, which has largely gone the way of the dodo for end user remote access, FTP seemed like one of those protocols that needed to just go away: Its equivalent (scp) depends on the more secure SSH protocol and provides something like security from the hazards we're all familiar with over open networks, like password sniffing or just plain old interception of sensitive data.
For all SSH has been embraced by the techie sector, it's remained largely opaque to end users, to the extent that most corporate firewalls seem to have little issue with letting SSH traffic in and out, apparently on the premise that a user savvy enough to construct an SSH tunnel probably deserves to get out.
So for remote users, we've ended up herding them into VPNs or the occasional WebDAV-enabled server, which has raised its own series of issues, like how to handle a compromised laptop with full VPN access that's suddenly loose inside the firewall with a payload of worms and viruses.
So embracing FTP seems like a step backwards, right? We lose the benefits SSH and scp could confer if the right mix of ease were introduced to the available clients, we abandon the relative security of a VPN, and we go back to passing packets around in the clear?
Not exactly. Like the linked article says, at least one company has layered on SSL (which has the disadvantage of a trust model that's built around the authority of companies that aren't always the best at rewarding your trust) and, more promisingly, PGP.
PGP falls down with SSH in terms of apparent difficulty for end users: public key cryptography requires more thought than trusting acceptance of the network admin's word that "it's safer this way." Users have to maintain a key, and they have to protect its password zealously, and they must never, ever forget their passwords lest files they've encrypted with PGP or similar technologies become meaningless junk. There are workarounds to that, though, and the end result is files that are well and truly secure when the system is used properly, both, as the article notes, at each end-point and while they're in transit.
Are you going to scrap your VPN and toss out SSL any time soon? No. Probably not. But it seems that if at least one company has its way, you'll be adding some nuance to your security scheme, and you might be doing it with a protocol most of us had written off as last decade's news.
» If your users come around complaining about not being able to log on to Yahoo! Instant Messenger today, it's probably because Yahoo! changed its protocols (again) to block third party messaging clients. The best advice you can give them at this point is either "use Yahoo's client" or "get another chat network."
» And speaking of chat networks, eSecurityPlanet has a report on instant messaging security:
"between 2002 and 2003 there was a 400 percent increase in IM malware, according to Symantec's figures. Since 2002, 25 instant messaging worms have been released into the wild, with about 20 of them coming out last year alone. At least five or six have hit the wild so far this year,"
But a more serious problem, according to the report, is less one of malware and worms getting loose as it is simple information security: Much of the traffic is unencrypted and it's flying around in the clear.
Cisco's vision of a self-defending network took more form today as a bevy of NAC-supporting products were announced and the company moves ahead with third-party outreach. Also: Your enterprise IM choices just narrowed by one as AOL and Yahoo reconsider their IM strategies, and SUPERCOMM kicks off in Chicago.
XP SP2 is looming, it's going to disrupt your network, and your users are going to panic: What took Microsoft so long? Also: Motorola hops on the WiMax bandwagon, VoIP is so six months from now, Cisco goes MAN, and major ISPs write your anti-spam checklist for you.
» Wednesday: Flash: Sometimes Common Sense Isn't Sexy
Leading ISPs have some terrible news for the rest of us: There is no anti-spam death ray. Also: There's a big bug in the ISC's DHCP, e-gov security certification considered, your one-stop newsfeed source for CERT advisories, Intel's revised wireless plans, and another practical reason to use mod_gzip
It's never bad to give your users a faster site. With mod_gzip and Apache, you can compress Web traffic on the fly, reducing file sizes (and download times) up to 80 percent.
You may be an old-school holdout, or you may have inherited a network with NFS/NIS driving some of the file-sharing load. Either way, here's how you can button down these venerable but potentially dangerous services.
VoWLAN might be the chocolate and peanut butter of networking, but the convergence of VoIP and wireless freedom has its share of snags. Here's what you need to know.
Between online deathmatches, hearts tournaments, and sports bookies, your network might be looking more like a playground than a place to get work done. Here's how to use Squid to button down the traffic and make sure your more slippery users don't slide out of its grasp.
Network News Break is CrossNodes' daily summary of networking news and opinion, served up fresh daily. Please send your comments and suggestions to the editor.