Using Open Source in the Enterprise: Two Stories

This was interesting. Just recently MIT announced that they would be replacing their Cyrus IMAP infrastructure with Microsoft Exchange. The reason was that the IS Department wanted to offer Exchange – that is, they wanted to provide Microsoft Exchange services to their “customers” (students and faculty). Isn’t it ironic that it is none other than Carnegie Mellon, another educational institution, that maintains Cyrus IMAP? Many students are also upset, as they will no longer be able to use Pine for their email.

This news can be compared to the recent news from the London Stock Exchange: they are dropping their Windows-based trading system for one based on Linux. Of course, they didn’t go out of their way to choose one or the other: but the Windows-based system halted trading for an entire day; the exchange never stated exactly what the cause was, but information was that it was the trading system that was at fault. Now the CEO that brought in the trading system is out without any comment, and the first order of business for the new CEO is to dump the old Windows-based trading system. ComputerWorld has a nice article on it. This shows the reliability of Linux overall and suggests that the reliability of Linux should be a strong selling point.

Next time management starts suggesting replacing Linux with Windows – tell them the story of the London Stock Exchange. They are also not the only ones; go read the article.

Securing your network traffic

If you want to start some exciting discussion in a security forum, just say you use telnet: you’ll find that every admin knows that telnet is insecure, that one should use OpenSSH or similar to encrypt the traffic, and that telnet should be banned from the server environment entirely.

However, telnet is not the only server that transmits its passwords in the clear. There are a lot of others. Here’s a list I came up with:

  • FTP
  • HTTP
  • IMAP
  • IPP
  • LDAP
  • LPD
  • NFS
  • POP3
  • rsync
  • SMTP
  • SNMP
  • syslog
  • VNC
  • X11
  • XDMCP

I won’t cover all of these here (more about these items can be found in my book) but I do want to cover just a few.

Consider, for example, the mail protocols: SMTP, POP3, and IMAP. SSL encryption is available with all three – but do you use it? And what about your logins to your mailbox at your ISP? Every time you login, your password to your mailbox goes across the wire in the clear.

What about NFS – particularly NFS home directories? If you have unencrypted secrets in your home directory, then these items will be transmitted across the network in the clear as well. What about private SSH keys? Unfortunately, there is no way to encrypt NFS traffic.

VNC is another one to watch for: if you type passwords for your root logins over VNC – even if you are using SSH in your VNC session – the passwords are in the clear. The only way to secure VNC entirely is to use an SSH tunnel to encrypt it.

X11 is insecure in the same way, but presents special problems. However, OpenSSH handles X transparently through the use of special tunnels just for X.

syslog is another unencrypted service; do you have passwords put into the system logs? What about secret doings of your servers? How much information leakage can you handle? Unfortunately, syslog is another service that cannot be secured unless you use something such as syslog-ng which permits you to use TCP (and thus, an OpenSSH tunnel).