IETF Logo Mail Archive

Re: Telnet and FTP to Historic

Keith Moore <moore@network-heretics.com> Thu, 03 December 2020 21:03 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 215083A0D76 for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2020 13:03:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GdKPg2rkLNoz for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2020 13:03:02 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6EC83A0D2F for <ietf@ietf.org>; Thu, 3 Dec 2020 13:02:59 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id D5AC5972; Thu, 3 Dec 2020 16:02:58 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Thu, 03 Dec 2020 16:02:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=TJP130 YideX5BV10VaDzAfxwKvTBOqOLb0xebfHjtMk=; b=eSSyGiNQTpcBL87KhwT1Mj B9hlsj/4Gm+HETmuhULKtvkjjetbQFVz34dK2kEcoglnk+VeOIeVFvaWw95YZvru ALyQaB8xu2200aRedfDklB2/pH7pMvMM8vbj4r6ixWbB2g7kv4gG5S/aKLX4Gb1F Emenz0tb+ylZ2GqtiWephHFb9UB5DIrQxRnk9vutn1gG4rHx/eI+Lb3NMHqZQJNk FG6gVVOSKYnnyu/uRgR5sR4K5NtQbfs30nJ5IRkssDPhV63+1O+xT3lUCECm6KAK EvB6l0CtIQoelykQC6uxYZBNcdjLz25YU8ddRW3LF0eFLItAnjGRCKclIFxvgOoA ==
X-ME-Sender: <xms:gVLJX_QhGYhOixRKbRs5sPtFVZMWbRTf4EEmElgh2Onl1jydHs-Q3w> <xme:gVLJXwzJGrT_9G7yk_0us9SSsjw0m02t2P23ZUarPXOvgHpT7Gj5GbWf9ucpzdB0J rHXP-YrEV_Asg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeiiedgudegiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefuvfhfhffkffgfgggjtgesrgdtreertdefjeenucfhrhhomhepmfgvihht hhcuofhoohhrvgcuoehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh eqnecuggftrfgrthhtvghrnhepveefteduieegtdelvddvtddufeejjeffvdefteejieeu lefgtdfggedtffektedunecukfhppedutdekrddvvddurddukedtrdduheenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvght fihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:gVLJX026eHZfRev06xwtJjo4tzaqkq9JC6lb1jI4gdmDjJF6IwmBJQ> <xmx:gVLJX_Dsp7J6XXS_-8Arx-OswZrAUlmprOD9ewEg08v7FfNFH3v9Tg> <xmx:gVLJX4hG47lkdeXuKbE7-ka6bjkvQw-5lm6YiM6i_DOZWCWvcSeB8w> <xmx:glLJXztX6CczP99KCjzDq2OF-wFsNYVuBQqoMHlnB6lAbs8h-WzWdQ>
Received: from [192.168.1.85] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 9D163108005B; Thu, 3 Dec 2020 16:02:57 -0500 (EST)
Subject: Re: Telnet and FTP to Historic
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
References: <51d208a3-4cae-b69a-6ecc-d15f48c66b44@huitema.net> <06E7EB62-D6C2-4827-A241-8E276860C2B7@strayalpha.com> <6842e463-6fce-42e5-402c-acacabd9905b@huitema.net> <8cb5f679-ebc5-3107-1708-c4912b9222d4@network-heretics.com> <CAMm+LwhiDK-mxjzezGvAu5pRw0S1=7+vEi8NKYdBWAtmyW+dxA@mail.gmail.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <96b7c1b1-bf0f-65a7-f35e-9b0373318478@network-heretics.com>
Date: Thu, 03 Dec 2020 16:02:56 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwhiDK-mxjzezGvAu5pRw0S1=7+vEi8NKYdBWAtmyW+dxA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0AE1B784E9C70BFF01082DAB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/hL50KNh8Qv9ACZ9zBFV6jZJdOCU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 21:03:12 -0000

On 12/3/20 3:45 PM, Phillip Hallam-Baker wrote:

>
>     For that matter not even "air gapped" networks are really safe.
>     There's
>     almost always some laptop or other that occasionally connects to such
>     networks, and malware can creep in that way.
>
>
> There are viable controls but they are very expensive. At VeriSign we 
> constructed a tier 6 SOC and kept the machines that perform offline 
> operations in a very pricey safe along with the HSMs (see the CPS 
> which documents all of that).

Yes but this is a far cry from the typical "air gapped" LAN which is an 
Ethernet switch or WiFi access point that just doesn't happen to have an 
upstream link (most of the time).

And for most sites the kinds of measures you employed at VeriSign (glad 
you did!), or really anything more than perhaps an extra lock on the 
gate or door, would be prohibitively expensive.

I know of sites that are part of critical infrastructure, on concrete 
pads in the middle of nowhere, surrounded by a chain link fence (if 
that).   The fence is just to keep the nearby cows out.

Keith

v2.23.0 | Report a Bug | By Email