by "telnet" I am including one-time passwords, ssh and other similar
items.
David Lang
On Thu, 11 Dec 1997, H. Morrow Long wrote:
> David Lang <dlang @
diginsite .
com>
> >part of the problem some people (including me) have with NT is how much
> >hardware it take to get decent results. Yes you can get good results if
> >you use a dual PII-233 with 256MB ram but if you can do the same job on a
> >P-166 with 64-128MB ram with a different OS why should you go with NT? yes
> >the graphics are nice but if this is a server that sits unless checked it
> >is often nicer to have a machine you can telnet into to manage.
> >
> >David Lang
>
> Note that 'a machine you can telnet into to manage' is not always a
> good move -- especially for Internet (or even intranet) firewalls.
>
> Even when using Unix machines or dedicated routers (which support a
> telnet service) as firewalls the recommendation is generally to
> remove any ability to 'telnet' into either type of machine.
>
> Only allowing login, configuration and administration of the
> firewall from the console is safest. An authenticated (and
> often encrypted) client-server protocol is usually supplied
> by firewall vendors for management these days -- it is usually
> GUI-based but sometimes has command line, scripting and Web
> interfaces as well.
>
> "ssh" restricted to allow connections from only one or two machines on
> the safe secure network and requiring two-factor (NOT regular password)
> authentication to login may be acceptable for f/w mgt for some sites.
>
> H. Morrow Long, Yale Univ IT ISO -Info Technology Services Info Security Officer
> 175 Whitney Avenue, New Haven, CT 06520-8276, (203)432-1248(voice) 432-0593(FAX)
> INET: http://pantheon.yale.edu/~long/ mailto:Morrow .
Long @
yale .
edu
> PAGE: (203)370-3081, (800)347-2574, mailto:1165469 @
pager .
mcb .
com PIN# 1165469
> PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C 4D 7C 22 56 80 BA 84 09
>
>
References:
|
|
