In article <9405241504 .
AA11084 @
sword .
eng .
pyramid .
com> Paul Daw writes:
|On occasion, engineers and customer support folk from our site go out
|into the big bad world, and want to get back into the network via the
|Internet connection. There are some obvious advantages to this - cost,
|convenience and speed being the most significant. This activity is
|usually done from a customer site that is connected to the Internet.
|
[ ... ]
|
|It seems like the only safe way to do this is to actually give the
|remote user an encrypted telnet capability so that even the clear
|passwords aren't sniffable at the remote site. Given this, I have
|two questions:
|
|1) Am I *too* paranoid about all of this? Are we going too far?
|
|2) If not, what are the restrictions for running encrypted telnet
| in other countries? Should we be concerned about this?
(Hi Paul :-)
If you are going to do this, then you have to worry about the
difficulty of setting up such an encrypted telnet capability
at the customer's site. In your case, you could "just" add
the encrypted telnet function to the standard OS release and
then after it gets out into the field, you'd be set (subject
to the export regulations you were rightly worrying about).
For people who have immediate needs, or who can't add things
to the OS release for their customers another approach is
needed.
Taking a tape and compiling the encrypted telnet application
is one possibility. Equiping the travelling engineers with a
portable machine that already has the application installed is
another. In either case, there might be security concerns on
the part of the customer - access to a tape drive and compiling
a program is not such a concern, but attaching a new outside
machine to the company's internal network might be a real concern.
(Although, if the customer is already letting your engineers
connect out through the network, the main extra exposure in an
internally connected machine is the increased bandwidth available
for potential misuse - while a connected portable machine could
run some sort of data collection in the background, so could the
encrypted telnet application.)
Either method has a certain amount of activity required before
the engineer can get around to doing their real job. (Either
finding a compatible tape drive, compiler, and account to use,
and building the application, or else setting up a network address
and telling the rest of the network about it, including setting
up any tighter than normal restrictions.) The portable machine
has the significant advantage that the engineer can take along
their standard environment - preferred shell, utility functions,
window manager, etc. - and be able to use some of these in their
activity on behalf of the customer.
This is an approach that can be very useful as long as your
relationship with the customer is such that they can extend a
significant degree of trust to your engineers - that is more of
a business/political/personal concern than an technical one, as
many security issues are.
--
That is 27 years ago, or about half an eternity in | John Macdonald
computer years. - Alan Tibbetts | jmm @
Elegant .
COM
References:
|
|
