Re: Telnet concerns from auditors -- MIDRANGE-L

On Fri, Oct 3, 2008 at 9:26 PM, Charles Wilt <charles.wilt@xxxxxxxxx> wrote:

In all fairness, this risk is lower now than it used to be due to the
use of network switches.

With a switch instead of a hub, the only packets that get sent down a
users wire are the ones destined for his/her PC.

In theory.

There exists a multitude of techniques to trick a switch into
rerouting packets to the wrong ports (arp spoofing, mac overflow), and
also more subtle attacks (for example, manipulating DNS so that Client
Access connects to the wrong ip address, which is transparently NATd
to the correct one.

There are several technologies available to alleviate some of these
techniques, like 802.1x authentication on the port level, port
security, etc.

But the correct and easiest way is to use SSL on the application level
COMBINED with 802.1x.

Plaintext authentication is no longer acceptable, except maybe in
closed circuit networks with only trusted machines and in physically
secure location (so, almost nowhere).

The same risks go for FTP, HTTP, etc.

Sadly, IBM does not secure IBM i OS by default - this is a point that
badly needs improvement (yes, i submitted a DCR).

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.