ITS Yale University Shutting Down Insecure Telnet and
- Slides: 14
ITS -- Yale University Shutting Down Insecure Telnet and FTP (A Success Story) Chuck Powell Director, Workstation Support Services Yale University Charles. Powell@Yale. Edu http: //wss. yale. edu/educause Copyright Charles Powell, 2001. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
ITS -- Yale University Prolog Although I’m the only one presenting today, the story you’re going to hear is, more than anything else, a success story about teamwork and social engineering involving a lot of people. It’s only fair at this point to mention, in particular, two people who were co-authors of not only this presentation but the success. David Davies (then the Manager of Student Computing) and Eoghan Casey (from our Information Security Office). Of course all typos and errors in the presentation are mine. 2
ITS -- Yale University Presentation Goals • Non-technical (happy to answer questions but that’s not the target today) • More about process and communications than daemons • Pretty vendor neutral and does not require expensive new software to implement • Lessons learned for your benefit 3
ITS -- Yale University Our Problem • Telnet and Ftp represented “well known” security risks • From the users perspective, however, ftp and telnet are “their friends” • Investing large amounts of “new money” was not an option • Leveraging existing technologies and our architecture • Avoid the “dictatorship of the minority” through education 4
ITS -- Yale University It’s Good to Be “Lucky” • We had already been setting the stage • RSA patent was expiring, undoing a logjam on client software • Audience was receptive due to a spike in security breaches and “shared pain” • Strong backing from “the top” 5
ITS -- Yale University Objectives • Turn off insecure telnet and ftp on institutional level servers – Without disenfranchising any users – Without new infrastructure – By extending current architecture and methods • Educate users so the trend extended into machines and domains not centrally managed 6
ITS -- Yale University What We Had • A reliable and robust set of authentication services in Kerberos and Windows we could rely on • A reasonably well known population of users and applications • Some experience with smaller cases and some lessons learned 7
ITS -- Yale University What We Lacked • A plan and target dates • A cohesive or unitary way of reaching all our clients • Super powers or magic dust! 8
ITS -- Yale University What We Did – In General • Worked from both ends towards the middle • Used as many different communication media as possible • Worked incrementally • Turned up “the noise” gradually • Drew on diverse areas of expertise not only within IT but from our users 9
ITS -- Yale University What We Did -- In Specific • Set a date(s) to shoot for • Separated telnet and ftp shutdowns • Used everything from current print media to the login process to email lists to get the word out • Answered every question you could dream of and then of course some we didn’t think of • Met frequently to discuss and adjust 10
ITS -- Yale University A Little Dab of Technology Mac Windows Kerberized Fetch Nifty Telnet w/SSH Kerberized Better Telnet Netatalk (Kerberos or DHX UAM) Mindterm Java SSH Client** Kerberized Host Explorer Secure Shell Windows Client Tera. Term SSH Putty/Pscp Samba/Windows file sharing Mindterm Java SSH Client Unix Openssh SSH Communications Security (SSH. Com) Kerberized Telnet and FTP Mindterm Java SSH Client PAM 11
ITS -- Yale University Tricky Things We Learned • Even the smallest changes can confuse novice users or annoy sophisticated users • Emphasize the gains, don’t just be apologetic • Develop your documentation with an eye towards varying populations – one size does not fit all 12
ITS -- Yale University Summary • It can be done! • There is no such thing in this case as too much communication on the issue or too many different media • Ask the question, “What do you do now? ” and find solutions that are as “good”, or sometimes, even better! • This isn’t a panacea and we’re not done yet 13
ITS -- Yale University Useful Links • • • http: //wss. yale. edu/educause http: //pantheon. yale. edu http: //www. yale. edu/software/network/secure http: //www. ssh. com http: //www. openssh. org 14
Ap psychology unit 9
Insecure code management
Insecure.org
Insecure disorganized
Rendered insecure: gpu side channel attacks are practical
Insecure cryptographic storage challenge 3
Bluetooth rfcomm server insecure
Bluetooth rfcomm server insecure
Insecure connection
Owasp
Insecure cryptographic storage challenge 3
Insecure direct object reference bank challenge
Bargaining styles assessment tool
Yale university mechanical engineering
Yale university
