IBM lists on its website (http://publib.boulder.ibm.com/infocenter/
idshelp/v117/index.jsp?topic=%2Fcom.ibm.acc.doc%2Fids_acc_prere qs.htm)
the presence of the woefully insecure Unix utility telnet as a
prerequisite for use of the Informix Warehouse Accelerator. It's been
nearly 10 years since I've worked in an IT environment that would
allow telnet since it transmits passwords in clear text. The
screaming security hole that telnet use implies becomes a showstopper
to even broaching IWA to management -- even for test and evaluation.
What in the world is the need for using telnet with IWA? Can a more
palatable utility be substituted?

I suppose you can create an encrypted tunnel to overcome this difficulty.
Nevertheless I never understand (and please don't get me wrong) what is the
real problem on having clear text inside an organization.
We all use switches, and AFAIK it creates an exclusive channel between two
points. The options I know to overcome this are root access so that you can
eavesdrop all the network traffic on your server NICs or some sorts of ARP
poisoning that obviously can cause greater problems (and that require proper
security measures to prevent it).

So, what am I missing?
Regards.


On Fri, Aug 19, 2011 at 7:46 PM, red_valsen <red_valsen (AT) yahoo (DOT) com> wrote:



--
Fernando Nunes
Portugal

http://informix-technology.blogspot.com
My email works... but I don't check it frequently...

On Aug 19, 3:06*pm, Fernando Nunes <domusonl... (AT) gmail (DOT) com> wrote:
Here's what you missed: Telnet isn't used anymore in security-aware
IT environments; telnetd doesn't run on any secured Unix/Linux hosts;
management (rightfully) refuses to consider otherwise. It's not a
matter of exclusive channels between switches; it about encrypting
sensitive data.

Precisely what is telnet needed for within the product? Some type of
transport mechanism? And there are no others available today?

So, what is the alternative? Not providing an answer to telnet means
that (heard this before?) yet another touted new feature of IDS goes
unused because practical considerations are cast aside in pursuit of
an engineering solution that ignores reality.

Ok... I will not follow up the reasons why telnet is insecure (the reasons
why ssh can be insecure are very well publicized)
But let's leave that. Let's try another path.
Where did you see a mention to telnetd? Are your machines "free" of "telnet"
command?

By the way, do your IDS servers all use encrypted communications?

I think you can go ahead and talk to your management about IWA. Telnet is
certainly not a problem and I'm sure they'll be please with the features.
Regarding this I usually don't see this referenced in most IWA documents:

In most DW scenarios, most of the times the system is able to run the
planned queries in the planned amount of time. But usually administrators
are always afraid of the twisted queries people and BI tools can generate
and the impact that it may have. I think one of the greatest use cases for
IWA is the ability to tell the users: "hey... during a week you'll have this
and that data available in a special system where you really can push it".
AFAIK the query time is always low, because the "query plans" are very
similar. So it gives the user a greater amount of "liberty" and can leave
the administrators more confident that the "twisted" queries will not impact
the usual load.

Regards.

On Fri, Aug 19, 2011 at 10:27 PM, red_valsen <red_valsen (AT) yahoo (DOT) com> wrote:



--
Fernando Nunes
Portugal

http://informix-technology.blogspot.com
My email works... but I don't check it frequently...

red_valsen wrote:
I must admit I found that an interesting question but it didn't take too
much effort to find the answer here:
http://publib.boulder.ibm.com/infoce...c_qs g_en.htm

The telnet /client/ is used by the ondwa shell script.

As it's used in a shell script it rather looks as if it's being used to
enable the script to communicate with the accelerator on one or more of
the ports specified according to
http://publib.boulder.ibm.com/infoce...c_qs g_en.htm
and, AFAICS, the script & the accelerator are both on the same box so
this might well be on the loop-back port.

--
Ian

The Hotmail address is my spam-bin. Real mail address is iang
at austonley org uk

Fernando,

If you have questions about security, talk to Errol Back-Cunningham. LastI heard he was an IT Specialist out of Philly.
(If you knew his CV and history, you'll understand why... ;-)

With respect to IWA...

1) I think if you replace 'telnet' with 'ssh', you're going to be fine.
2) Network security:
Most IT shops used managed switches which can do layer 2 along with layer 3.. Depending on your switch manufacturer, you can see packets.
To your comment about becoming root on a machine and then do packet sniffing... why? You've already compromised the box which means you already have access.
If you are not setting up a VPN (layer 2) the odds are your IWA and IDS machines will be in the same rack and on the same physical switch. You're right that the most likely vector of attack will not be via the network but by gaining access to your chain of machines starting with the machines connecting to the outside world. (Assuming of course your apps already stop the ability to do SQL injection attacks.) If you follow IBM/Informix's guidelinesof using .rhosts or /etc/hosts.equiv, you're already too late. Of courseif you set up port filtering on your machines, you have less risk by limiting ssh to the machines only from certain machines inside your firewall.

Now if you really want to be paranoid...

Assuming you're using the following:
a) ToR switch capable of doing Layer 2
b) servers that have at least 2 NIC ports.
c) your IWA server doesn't need any outside connection except to your IDS server...

Do the following:
On your switch, set up a VPN consisting of the two ports and a separate 10.x.x.x network
Set up the NIC ports on the machine and do IP port filtering to limit what types of traffic you're going to allow between the two machines.

Then it doesn't matter if you allow telnet or not.
In order to get to the IWA machine you will need to hack your IDS machine, or hack your ToR switch. Either way its pretty difficult and most likely you're not dealing with data that sensitive that someone outside of the company is going to make the effort. Most likely the admins who know enough about your machines will already have the root password so you're fscked already if they want to steal your information.

Again, I agree that telent is bogus, but you should be ok using SSH.

HTH

-G


Date: Fri, 19 Aug 2011 20:06:33 +0100
Subject: Re: Informix Warehouse Accelerator Prerequisites
From: domusonline (AT) gmail (DOT) com
To: red_valsen (AT) yahoo (DOT) com
CC: informix-list (AT) iiug (DOT) org

I suppose you can create an encrypted tunnel to overcome this difficulty.
Nevertheless I never understand (and please don't get me wrong) what is thereal problem on having clear text inside an organization.
We all use switches, and AFAIK it creates an exclusive channel between two points. The options I know to overcome this are root access so that you can eavesdrop all the network traffic on your server NICs or some sorts of ARP poisoning that obviously can cause greater problems (and that require proper security measures to prevent it).


So, what am I missing?
Regards.


On Fri, Aug 19, 2011 at 7:46 PM, red_valsen <red_valsen (AT) yahoo (DOT) com> wrote:

IBM lists on its website (http://publib.boulder.ibm.com/infocenter/


idshelp/v117/index.jsp?topic=%2Fcom.ibm.acc.doc%2Fids_acc_prere qs.htm)

the presence of the woefully insecure Unix utility telnet as a

prerequisite for use of the Informix Warehouse Accelerator. It's been

nearly 10 years since I've worked in an IT environment that would

allow telnet since it transmits passwords in clear text. The

screaming security hole that telnet use implies becomes a showstopper

to even broaching IWA to management -- even for test and evaluation.

What in the world is the need for using telnet with IWA? Can a more

palatable utility be substituted?

_______________________________________________

Informix-list mailing list

Informix-list (AT) iiug (DOT) org

http://www.iiug.org/mailman/listinfo/informix-list



--
Fernando Nunes
Portugal

http://informix-technology.blogspot.com
My email works... but I don't check it frequently...



_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list

Hi,

there have already been several posts that contain correct
answers, but to be clear ... here a condensed repeat:

- IWA uses the telnet protocol for some rather internal
communication for few administrative commands.
For that purpose IWA must be explicitly configured to
listen at a specific port on a specific IP-address.
Recommended for that IP-address is the localhost (127.0.0.1).
With that nobody from the outside can connect to IWA
in this way.

- No telnet service is required on the machine where IWA
is running. That means no telnet daemon (telnetd) should
be running. (This normally is the big concern regarding
security.)

- As an easy way to issue those few administrative commands,
a telnet client program (e.g. telnet) can be used, as does the
ondwa script. With IWA configured for localhost only, this
can be done only locally on the machine. That is why there
is the requirement to have the telnet client program available
on the machine.

- There is no password required when issuing such
commands via the telnet protocol. Therefore, there
is no possibility to "sniff" any password of any user,
not even when being logged in locally as user root.
(The telnet protocol is only used as a means for
communication, but not for user authentication
in any way.)

Admittedly we may be able to enhance the documentation
somewhat, to avoid for potential users the effect of raised
bristles and ringing alarm bells when merely reading the
word "telnet".

TIA, Martin
--
Martin Fuerderer
IBM Informix Development Munich, Germany
Information Management

Read about the Informix Warehouse Accelerator:
http://tinyurl.com/the-iwa-blog

IBM Deutschland Research & Development GmbH
Chairman of the Supervisory Board: Martin Jetter
Board of Management: Dirk Wittkopp
Corporate Seat: Boeblingen, Germany
Reg.-Gericht: Amtsgericht Stuttgart, HRB 243294

informix-list-bounces (AT) iiug (DOT) org wrote on 08/19/2011 08:46:07 PM:

And it would be easier to switch to SSH and avoid any issues period.
Note: I never worried about 'sniffing' that was your own Fernando.

My comments and recommendations still stand.

HTH

-G