This article can also be found in the Premium Editorial Download "Information Security magazine: Help! Evaluating AV solutions and tech support."
Download it now to read this article plus other related content.
Despite ample warnings and publicity, the annual Def Con hacker conference always catches a fair number of new victims for its "Wall of Shame"--a compilation of people who expose their passwords and credentials to other attendees.
If you use unencrypted POP3 or IMAP to check your e-mail, HTTP to access a Web app, FTP for a file transfer or Telnet for remote access, you too could end up on this list. Worse, you could end up on some hacker's to-do-list, with more dire consequences.
Whether you're talking about a compromised host or wide-open wireless networks, eavesdropping is a serious security issue. Hackers only need to control one host on a LAN or VLAN to sniff packets and compromise your network. They can even do this on a switched network using tools like ettercap or arpspoof, which trick hosts into sending traffic to the wrong destination.
Consider this: Every packet you send across the Internet passes through a number of routers. Hackers can compromise and reconfigure these hops to route traffic through their machines. Attackers don't even need to exploit a flaw in the router; they can snatch a password from a snooped Telnet session.
You may think the IT security structure in your company uses secure protocols, but you're probably wrong. Many enterprises ignore best practices, using Telnet to administer Unix and Windows systems, routers and mainframes. There's no excuse whatsoever for the first two, since secure shell alternatives are available for Unix and Windows. SSH is largely unavailable for mainframes, though.
Routers' OS patches and upgrades will typically come with SSH modules. When they don't, you can create an inexpensive, Linux-based SSH proxy, which is particularly useful for securing mainframes.
Here's how it works: Place a Linux PC in front of the mainframe. Users or applications can SSH into that host, then Telnet to the mainframe. You can even set static ARP entries on these two devices to defeat the ARP spoofing tools used to actively sniff switched networks. (For instructions on building a Linux jump point with a bridging firewall, see www.bastille-linux.org/jay/linux-jump-point-instructions.html.)
The idea to use Linux boxes as SSH jump points isn't new. Savvy admins have been securely managing routers by SSH-ing into a Linux box via serial connections for ages.
Cleartext protocols have alternatives as well. Authenticated FTP sessions can be replaced with secure FTP, which terminates on an SSH server. POP and IMAP have bolt-on encryption using SSL or TLS. Web applications that exchange confidential information should use SSL with a signed certificate. If you're having trouble eliminating unencrypted protocols, you can use VPNs to encrypt all traffic from external users or sites.
Regardless of your method, continuing to use insecure protocols is inexcusable, especially when alternatives are so readily available.
About the author:
Jay Beale is the lead developer of Bastille Linux and the editor of Syngress Publishing's Open Source Security series.
This was first published in October 2004