1. ITS -- Yale University Shutting Down Insecure Telnet and FTP (A Success Story) Chuck Powell Director, Workstation Support Services Yale University Charles.Powell@Yale.EduCharles.Powell@Yale.Eduhttp://wss.yale.edu/educause Copyright Charles Powell, 2001. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. ITS -- Yale University 2 Prolog Although I’m the only one presenting today, the story you’re going to hear is, more than anything else, a success story about teamwork and social engineering involving a lot of people. It’s only fair at this point to mention, in particular, two people who were co-authors of not only this presentation but the success. David Davies (then the Manager of Student Computing) and Eoghan Casey (from our Information Security Office). Of course all typos and errors in the presentation are mine.

3. ITS -- Yale University 3 Presentation Goals Non-technical (happy to answer questions but that’s not the target today) More about process and communications than daemons Pretty vendor neutral and does not require expensive new software to implement Lessons learned for your benefit

4. ITS -- Yale University 4 Our Problem Telnet and Ftp represented “well known” security risks From the users perspective, however, ftp and telnet are “their friends” Investing large amounts of “new money” was not an option Leveraging existing technologies and our architecture Avoid the “dictatorship of the minority” through education

5. ITS -- Yale University 5 It’s Good to Be “Lucky” We had already been setting the stage RSA patent was expiring, undoing a logjam on client software Audience was receptive due to a spike in security breaches and “shared pain” Strong backing from “the top”

6. ITS -- Yale University 6 Objectives Turn off insecure telnet and ftp on institutional level servers –Without disenfranchising any users –Without new infrastructure –By extending current architecture and methods Educate users so the trend extended into machines and domains not centrally managed

7. ITS -- Yale University 7 What We Had A reliable and robust set of authentication services in Kerberos and Windows we could rely on A reasonably well known population of users and applications Some experience with smaller cases and some lessons learned

8. ITS -- Yale University 8 What We Lacked A plan and target dates A cohesive or unitary way of reaching all our clients Super powers or magic dust!

9. ITS -- Yale University 9 What We Did – In General Worked from both ends towards the middle Used as many different communication media as possible Worked incrementally Turned up “the noise” gradually Drew on diverse areas of expertise not only within IT but from our users

10. ITS -- Yale University 10 What We Did -- In Specific Set a date(s) to shoot for Separated telnet and ftp shutdowns Used everything from current print media to the login process to email lists to get the word out Answered every question you could dream of and then of course some we didn’t think of Met frequently to discuss and adjust

11. ITS -- Yale University 11 A Little Dab of Technology Windows Kerberized Host Explorer Secure Shell Windows Client TeraTerm SSH Putty/Pscp Samba/Windows file sharing Mindterm Java SSH Client Mac Kerberized Fetch Nifty Telnet w/SSH Kerberized Better Telnet Netatalk (Kerberos or DHX UAM) Mindterm Java SSH Client** Unix Openssh SSH Communications Security (SSH.Com) Kerberized Telnet and FTP Mindterm Java SSH Client PAM

12. ITS -- Yale University 12 Tricky Things We Learned Even the smallest changes can confuse novice users or annoy sophisticated users Emphasize the gains, don’t just be apologetic Develop your documentation with an eye towards varying populations – one size does not fit all

13. ITS -- Yale University 13 Summary It can be done! There is no such thing in this case as too much communication on the issue or too many different media Ask the question, “What do you do now?” and find solutions that are as “good”, or sometimes, even better! This isn’t a panacea and we’re not done yet

14. ITS -- Yale University 14 Useful Links http://wss.yale.edu/educause http://pantheon.yale.edu http://www.yale.edu/software/network/secure http://www.ssh.com http://www.openssh.org