Curing remote-access security ailments

By Hal Stern, Unix Insider |  Security

You'll need to double-check the level of data privacy and protection
offered by the modified application. If encryption is used to verify
credentials and authenticate users, but not to encrypt data, it won't
help you with data-exposure problems. A good example of this half-way
solution is Sun's Secure NFS. It protects you from users who become
root on their own machines, su to another user and then
NFS-mount those users' filesystems, because it requires a secret key
(password) to generate a verifier for the user's NFS credentials.
However, Secure NFS only performs credential verification and it
doesn't help with the file-exposure problems highlighted in the
opening section.

The most transparent, and often highest performance solution, is to
invest in network- or link-level encryption. Devices like Sun's Solstice SunScreen SPF100 encrypt incoming IP traffic and deliver it over insecure channels to a
peer device that converts it back to plain text. With SunScreen, for
example, you don't need to modify applications or user behavior to
derive encryption benefits. On the other hand, this isn't a cheap
proposition and it requires an all-or-none approach for all of the
sites that you want included in the extended, secure network. You pay
a price for a high degree of transparency with a fixed maintenance
investment.

Double secret probation

Until recently, there hasn't been a middle ground between an
end-to-end encryption solution at the link or network level and a
growing suite of modified applications. Several months ago, Tatu
Ylonen, a researcher at the Helsinki University of Technology,
released the Secure Shell (ssh) as a compromise between modified
applications and hardened networks. The premise behind ssh is that the
network can't be trusted, so secure data exchange requires building
secure channels on top of untrusted ones. Secure Shell replaces the
Berkeley remote login (rlogin) application and the rcp remote copy
tool with versions that perform end to end encryption at the
application layer. By working at the remote login level, ssh builds a
"tunnel" between systems that can be used to carry other kinds of
traffic as well, including X Window System sessions and arbitrary TCP
socket connections.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question