Q: What are the major security concerns for companies using FTP and Telnet?
A: The main problem with FTP or Telnet is that they are fundamentally insecure protocols. FTP dates back from the 60’s when it was commissioned by DARPA and Telnet was created a bit earlier. That was a time when network security was not as much of a concern as it is today. Both protocols were designed with simplicity, versatility and flexibility in mind, but definitely not security. FTP is primarily used for transferring files between homogeneous or heterogeneous environments while Telnet is the de facto protocol for accessing text-based legacy applications or remotely managing servers and network equipment.
Clear-text transmission: all communications are done in clear text, including usernames and passwords
- Weak client authentication: both FTP and Telnet authenticate users through usernames and passwords, which, time and time again, have proven to be unreliable authentication methods. There is no support for more advanced authentication methods such as public/private key, Kerberos or digital certificates
- No server authentication: this means that users have no way to be sure that the host they are communicating with really is the FTP server and not an attacker impersonating the server
- Absence of data integrity: problem here is that, assuming the same scenario as above, anyone could alter and corrupt the data being transmitted between the server and the client without being noticed
Q: Do standard security platforms such as Trend Micro, Symantec provide security for FTP and Telnet protocols?
A: Antiviruses are not designed to protect network protocols such as FTP or Telnet. Antiviruses do what they’ve always done best: detect and eradicate rogue malware code running on a machine. The kinds of problems that arise with Telnet or FTP are not of that nature. These protocols were never designed to handle the most basic security requirements such as data encryption, strong authentication and data integrity. This leaves them with multiple angles of attack which are not covered by antivirus such as those named here.
Q: Do industry security standards such as Sarbanes-Oxley and HIPPA have compliance requirements for FTP and Telnet?
A: Absolutely. At varying degrees, all of these regulations and standards have impact on organizations running FTP or Telnet. Here are a few examples:
PCI-DSS: the payment card industry data security standard regulates how credit card information are being processed, stored and transmitted. The lack of encryption, weak authentication and absence of data integrity make FTP and Telnet completely unsuitable to support the requirements of that standard.
GLBA: the Gramm Leach Bliley Act of 1999 requires organizations in the financial industry to adequately protect their customers’ private information, something that not realistic with Telnet or FTP.
- SOX: the Sarbanes Oaxley act requires the implementation of solid internal controls to guarantee that financial reports properly reflect the economic reality of any publicly traded company. Auditors reviewing IT systems will most likely shut down any FTP or Telnet activity because of their lack of security and viability in the context of these controls.
- HIPPA is a healthcare industry regulation which, among other things, requires healthcare actors to encrypt and protect their patients’ information. As explained above, this is something that’s not conceivable with Telnet or FTP.
A: Connectivity Secure Server is a high-performance network security system that allows organizations to encrypt, authenticate and guarantee the integrity of data being transmitted over a TCP/IP network. To put it in a nutshell, Connectivity Secure Server coupled with a secure shell client such as Connectivity SecureTerm will create secure encrypted tunnels between a user’s desktop and a server. Those tunnels can be used to pass any TCP/IP network traffic.
Replace their Windows FTP Server
Remotely manage Windows Servers
Secure internal and external network traffic
Encrypt 3rd party application traffic
A: Network monitoring, breach discovery and intrusion detection systems are a whole world in itself. There’s no doubt that any company equipped with these kind of tools has a better chance of finding out whether something bad is happening on their network but the number of false positives sometimes returned by these systems make them less than perfect more often than not. According to a study led by Verizon in 2008, 75% of breaches were not discovered by the victims but by someone else. That number alone speaks volume about the chance that a company has of finding this out by itself. There’s no miracle: be proactive and cover the basics.
A: Connectivity Secure Server is available today from Softchoice and its partners. Companies who want more information can go to www.hummingbird.com/secureserver where we have datasheets, whitepapers and trial versions available. The trial version is a time-limited full functioning version of the product. Don’t forget to also check our client-side solution, Connectivity SecureTerm and our security add-on for Exceed, Connectivity Secure Shell.