David Boyes wrote:
There's a lot of "commercial" firewalls that don't get FTP right,
and
So complain. It can be done right, and customers' demands rule.
That works two ways -- if customer A with broken firewall demands you
permit something you know to be insecure, do you cave in? Thought not.
If, "knowing" ftp is insecure, I want to run a public ftp server, that's
my affair. Lots of big companies, IBM included, do this.
If, "knowing" ftp is insecure, I want to use ftp to download software,
that's between me and the supplier of the software. The vendor of the
firewall simply doesn't get a vote. I _can_ download software from IBM,
RedHat and SUSE servers.
If a vendor of commercial firewalls doesn't allow me to do these things,
then I will choose a vendor that does.
See previous argument.
Sometimes, ftp is the only choice available to users - think files
over
2 Gbytes. Like SLES and EHEL DVD images.
Since when has that mattered to an outside security auditor?
If my implementation doesn't pose an unwarranted security exposure, why
should it be a problem? If I can confirm that files I have downloaded
are those I intended to download, why is it a problem? How is
downloading CMSDDR images different from downloading DVD images?
note, I don't accept that "no security exposure" is possible unless one
does not connect to the Internet.
There is a considerable difference between incoming ftp (passwords to
our site) and outgoing (passwords to their site). It's your
responsibilty to set and enforce password policies for your site, and
if
Novell's policy says "no ftp because it's insecure," that might be a
reasonable stance (but would still leave me wondering whether there's
a
better alternative solution to their conserns).
There probably is. That doesn't change the basic fact of the argument
one iota. If the company's policy says "no", you're not going to change
that for something like this.
SUSE does allow incoming ftp (I just tested), so in this case, the
company policy does not say "no."
The immediate question I responded to was the question of ftp through
firewalls. If I, a Big Corporate, decide not to do that, that is one
matter. A firewall vendor imposing its rules on me, for any reason it
might think of, is not acceptable.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
Please do not reply off-list
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
