School of Informatics and Computing

August 11th, 2003 - Network and System Security Changes

These changes are scheduled to be implemented on August 11th and 12th, 2003. If you need assistance related to any of these changes, please submit a request using the CSG Help Desk.

1. Elimination of ftp

   The ftp service is inherently insecure since it requires that login information be tranmitted across the network in cleartext. There are SSH-based alternatives that provide secure file transfer and these tools are available for all popular operating systems. For example, on unix-based platforms you can use sftp instead of ftp.

   For a list of some popular SSH client packages, please see the following SSH Security FAQ Entry.

   Note that the anonymous ftp service on ftp.cs.indiana.edu will not be affected by this change since it doesn't involve the transmission of sensitive login information.

2. Elimination of unencrypted (non-SSL) POP and IMAP email access

   The POP and IMAP protocols are commonly used to access email from remote mail clients. These protocols can be used in two different modes. The first, running on port 109/110 (POP) or 143 (IMAP), is unencrypted and involves the transmission of login information in cleartext across the network. This method will no longer be supported. The second involves using SSL encryption to protect the sensitive login information as well as the contents of the email. This SSL encryption is supported by most modern mail clients (outlook, eudora, netscape, pine, etc) and will continue to be supported. The configuration of SSL is typically just a matter of enabling SSL support in the mail server properties of your mail client.

   IMPORTANT NOTE: The configuration of SSL only applies to your incoming mail servers, NOT your outgoing mail server. The CS mail severs do not require or support authentication of outgoing email (ie. mail messages that you compose and send through the CS servers) so you must not enable SSL in the Outgoing Server (SMTP) settings.

   Please see the IMAP/POP FAQ Entry for detailed instructions on how to configure SSL in several common mail clients, including Netscape, Outlook, Eudora, and Pine.

   Note that if you are using a mailer that accesses your email from the local filesystem (such as mail, elm, mh, mutt, or the default configuration of pine) it will not be affected by this change since they are not using POP or IMAP protocols.

3. Notebook ethernet address registration

   NOTE: The implemention of this is scheduled for Tuesday, September 2nd, 2003. You are urged to register your device before that date to avoid an interruption in service.

   Currently, anyone with physical access to the wired network in much of Lindley Hall can get an IP address and connect to the network. To prevent unauthorized access, and to provide accountability and tracking in the event of a problem, we are going to require that the ethernet address (also commonly referred to as the MAC or physical address) of the computer be registered before it will be allowed on the wired network. We plan to have a web-based registration system in place that will allow users to easily register new devices and have the updates effective immediately in order to limit the disruption this registration will cause.

   This change has no effect on the wireless network, which will continue to be secured through the use of the Virtual Private Network (VPN) configuration.

4. Migration from SSH to OpenSSH

   We are currently using the commercial SSH client and server software on the CS unix systems but will be migrating to the OpenSSH implementation. The transition should be largely transparent, but it will be necessary to migrate keys between the different formats used by these packages. We plan to have scripts in place to automate this migration. This change is being made largely for compatibility reasons since OpenSSH is now in use on all central IU systems.

[Return to the System Notices Directory]