|
Replacing clear text remote access
protocols
I've always had a
love/hate relationship with the ubiquitous Telnet remote access protocol.
Telnet access is a standard feature on most Internet routing equipment and
for remote access; therefore, you've probably used it if you've ever
needed remote access to a router, switch, or host across the
Internet.
It's important to
note that regular Telnet is not encrypted, which means that Telnet can
expose the login and password for remote Internet equipment. This issue
alone makes using Telnet for any type of Internet communication a concern,
since passing usernames and passwords for routers across the Internet
isn't a good idea. Using a modem connected to Internet equipment isn't
always practical either.
Encrypted remote
access provides the same functionality as Telnet but prevents data
sniffing and interception. The standard in this area is Secure Shell
(SSH). Most free UNIX systems include a variation of SSH with their
distributions, and UNIX systems that don't include SSH can use either
commercial SSH versions or OpenSSH. You can also configure higher end
routers and switches from Cisco to support SSH. (For specific details on
how to configure SSH on Cisco IOS routers, click here.) A number of
companies offer SSH client programs, including SSH Communications Security
and VanDyke Software (specifically, its product SecureCRT), as well as
various free implementations such as PuTTY.
However, it's
important to emphasize that encryption alone doesn't guarantee security,
and using SSH protocol version 1 quite possibly will result in other
security problems. I was reminded of this fact last Wednesday when I
received a security bulletin from X-Force in my inbox while reviewing
materials for this article. Version 1 of the SSH protocol contains a
design flaw, which was fixed in subsequent versions. So if you're going to
implement SSH on your systems, review specific information regarding
implementation. In other words, if possible, specify SSH version 2 instead
of version 1.
In addition to
Telnet, TN3270 is a remote access protocol that supports remote access to
IBM mainframes and other "big iron" equipment. People frequently use
TN3270 on internal networks, which may or may not be a security issue,
depending on the other security procedures in place. The primary issue
with TN3270 is that many companies use TN3270 to access mainframes across
the Internet. As with Telnet, TN3270 uses clear text authentication and
data traffic. Since many hospitals and financial companies use mainframes
extensively for customer database applications, exposure of customer data
due to clear text remote access protocols is a potential security
risk.
Fortunately, it's
possible to secure TN3270 with encryption, although I don't have personal
experience implementing secure TN3270. Two products that look interesting
in this area are SecureAgent Software's SecureTN3270 and Hummingbird's
HostExplorer (which I've seen in action and can report looks pretty much
like standard TN3270). Of course, always evaluate products carefully
before selecting a replacement product for TN3270.
|