At 4/10/01 08:49 AM -0500, you wrote:
>On Mon, 9 Apr 2001, Thomas Duterme wrote:
> > We've also got a private net for the same servers with a
> > dedicated line from the IDC to the company. Currently,
> > telnet is enabled on that network. (mainly for ease and to
> > eliminate the need for key distribution among all company
> > machines)
> >
> > Question to the list: is there anything *wrong* with this
> > picture. Can you criticize this setup from a
> > security point of view. Specifically interested in hearing
> > what people have to say about the private network telnet
> > access. (note: the private names/Ip's are not publicly
> > available via DNS - ie using a split DNS atmosphere)
I read that something like 80% of companies that detected security breaches
found inside involvement--employees who got social-engineered, who were
mad, who were curious, who were careless, who were stealing, whatever.
You're operating on the assumption that you can trust your users, which is
(probabilistically) wrong.
Install SSH internally, and, since you wanted to avoid key distribution to
all machines, just use password authentication. You'll have gained a great
deal since passwords and session data will now be encrypted as opposed to
clear text, and you'll put forth darn near zero effort. But remember that
those best able to screw you are those who are already close to you.
--
Rodolfo J. Paiz
[EMAIL PROTECTED]
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
