Educause Security Discussion mailing list archives
Re: Secure protocols
From: Buz Dale <buz.dale () USG EDU>
Date: Tue, 20 Jul 2004 10:16:48 -0400
In my mind SCP is a part of SSHv1 and has security problems. SFTP is the transfer protocols of the newer and ostensibly more secure versions. Buz Jere Retzer wrote:
Do you consider sFTP and SCP roughly equivalent? Is one better than the other? WinSCP certainly seems to work well. Thanks >>> jloter () ENGR WASHINGTON EDU 7/19/2004 11:19:37 AM >>> We're in the midst of a departmental security policy exercise and SSL/SSH/sFTP requirements will be a part of it. The University of Washington campus already requires SSH for access to its administrative systems and sFTP for non-anonymous FTP. The UW's policy on sFTP is here http://www.washington.edu/computing/security/secureftp.html. The "Notes for Specific Situations" part of the document details some of the client install/use issues that might crop up. The more general policy covering secured access to admin systems is here: http://www.washington.edu/computing/security/software.html Implementation here has been facilitated by campus centrally funding and making available the required client software, setting itself up as a certificate authority, and providing a central Kerberos-based authentication system. At the department level, we run some shadow database systems and FTP servers that we are now planning to secure. Since clients already have access to the required software, we just need to get certificates installed, update connectivity documentation (and create some where none exists), hand-hold some users, and then eventually shut off the insecure services. The services and policies at place at the UW level have made this pretty easy for us in the departments. Software with strong encryption carries with it export restrictions so you'll want to check with the legal office at your University to see what they make of the implications of that for traveling faculty, exchange students, etc. Also, we've had some cases where some federal grants specifically require compliance with International Traffic in Arms Regulations (ITAR), and go so far as to prohibit foreign nationals from exposure to crypto technologies. If the policy goes so far as to include encryption of "data at rest" (e-mail messages, data in databases, etc.) you'll need to reconcile the policy with open records laws and other University policies regarding ownership, retrievability, and archiving of public data. At the user level, users need to know that they don't "own" their e-mail and they must provide IT staff (or some other authority) the necessary encryption keys to unlock data in response to an open records request. If your institution does any routine monitoring of user e-mail and other data, you need to consider that, as well as what happens if a staff or faculty member is terminated and doesn't turn over their encryption key. Good luck with the policies! Jim ==================================== *Jim Loter* *Director of Computing Services* University of Washington College of Engineering 70e Wilcox Hall - Box 352180 Seattle, WA 98195 Phone: 206-543-1791 ~ Fax: 206-543-1018 ==================================== ----- Original Message ----- From: Slade Griffin Sent: 7/16/2004 4:33 PMHey everyone, Does anyone have a policy about not using insecure protocols like FTP or Telnet and using only SFTP and SSH? I would also like to know how difficult implementation was. Thanks in Advance Slade Griffin, GCIH, CHP, CHSS ISO University of Tennessee http://oit.utk.edu/infosec ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- ---- Buz Dale buz.dale () usg edu IT Security Specialist 1-888-875-3697 Office of Information and Instructional Technology University System of Georgia ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Secure protocols Slade Griffin (Jul 16)
- <Possible follow-ups>
- Re: Secure protocols Jim Loter (Jul 19)
- Re: Secure protocols Jere Retzer (Jul 19)
- Re: Secure protocols Buz Dale (Jul 20)
- Re: Secure protocols Dave Monnier, IT Security Office, Indiana University (Jul 20)