magazine resources subscribe about advertising

 

 

 








 CD Home < Web Techniques < 2001 < August  

Secure Your Network

By Joshua Drake

A few years back, I learned that using protocols such as Telnet and FTP was a bad choice. Although both protocols are widely used, many consumers don't truly understand their ramifications. The core problem with Telnet and FTP is that both programs send all data in plaintext format. If I were a cracker on your network, I could listen to (sniff) ports 23 and 21 and be almost guaranteed to see a user log onto a machine and send a username and password in plaintext. With that information, I could easily infiltrate your server.

The scary part about the above scenario is that I don't need to be on your machine to sniff the information. I only need to be on the network on which your machine runs.

F-Secure SSH Server/Client
F-Secure
Contact vendor for pricing.
Pros:Excellent graphical scp client. Versions for Windows NT and 2000. Cons:Doesn't work well with OpenSSH. Relatively expensive.

A solution to this problem has existed since 1995, and it's called Secure Shell (SSH). This tool suite is designed to replace Telnet, FTP, RSH, and RCP, all of them legacy Unix/Linux protocols. All actions performed with SSH are completely encrypted, including the login sequence. Thus, when a user sends a password to the server, a sniffer sees only a stream of encrypted data. The new version, SSH2, fixes several security holes and is almost a complete rewrite.

There are three popular SSH products on the market. The first is OpenSSH, an open-source implementation. The other two are SSH Communications Security's SSH and F-Secure SSH. OpenSSH ships with all major distributions of Linux, BSD Unix (FreeBSD, OpenBSD, NetBSD, and so on) and is available for most Unix platforms. The developers don't provide commercial support. SSH Communications Security's implementation is the grand daddy of them all. SSH Communications created the SSH protocol and the common suite of tools that the other SSH implementations use.

F-Secure is well known for its antivirus and data security products. I looked at its SSH Server/Client in this review. The F-Secure SSH products operate on a variety of platforms such as Unix, Linux, and Windows NT. Client and server versions are available for each platform. The SSH server installation was easy under Linux. It required only a single RPM (-if-secure-SSH-2.4.0.i386.rpm) and we were up and running. The installation even generated the secure keys automatically. The only incomplete part of the installation was that the RPM doesn't automatically start the SSHd daemon. You must use the service sshd2 start command.

Interoperability

I normally run OpenSSH on my machines. To test interoperability, I used the OpenSSH client on my workstation to connect with the Red Hat 6.2 machine on which F-Secure SSHd daemon was installed. The connection worked flawlessly. Next, I tested the scp features. The OpenSSH client was able to connect with the F-Secure server and authenticate, but it was unable to copy the file across the network. I tried multiple files without success. There was no immediate way for me to tell whether the error was caused by F-Secure or OpenSSH. Oddly, I was able to use the F-Secure SSH client to scp a file from my workstation running OpenSSH.

My office uses a single Windows 2000 machine for testing purposes. The machine usually runs a free SSH client called ttsh. I wanted to determine whether the F-Secure Windows client was any better. Installation was simple, but required me to reboot Windows 2000 before using it. After rebooting, I launched the SSH client and proceeded to connect with my workstation. I was able to open a session with my workstation running OpenSSH without any problems.

I also tested the connection with the F-Secure server, and it worked flawlessly. The terminal emulation was clean and the client was very functional. Although the Windows 2000 version of the scp client wasn't as successful, it was still good. It connected to the F-Secure SSH server without problems, but it wouldn't connect to the OpenSSH server. In general, I prefer the Windows scp client because it reminds me of a standard FTP client. As a Linux user, I have spent my fair share of time at the command line and it was nice to have an encrypted graphical interface to remote files.

In conclusion, the F-Secure product seemed robust and easy to maintain. I was able to transfer large amounts of files without problems and perform all of my routine SSH required tasks. The interoperability issues could be a large hindrance factor to the F-Secure product.

If a product is unable to work completely and reliably with the other available clients/servers, users will be less likely to use that product. Of course, the issue could be with OpenSSH, but OpenSSH is free and proliferates through the distributions of Linux and other free Unices.

F-Secure has a positive note, which is the NT/2000 Server version of SSH. You can use the F-Secure NT server to remotely manage an NT/2000 machine. The remote management of an NT server can be difficult at times, however, and it costs $834 per license for the F-Secure NT/2000 version, so I'm more inclined to use PPTP and VNC to administer my NT/2000 servers. SSH Communications has a version of SSH for NT/2000 as well, but this costs $565 per license.

For now, I'll stick with OpenSSH for my SSH needs. It's open, it's free, and I can use it for every platform I manage. However, if you're a Microsoft user, the F-Secure product could be a good choice.


Joshua is cofounder of Command Prompt, Webmaster for the Linux Documentation Project, and a regular contributor to several magazines. You can reach him at jd@commandprompt.com.




Copyright © 2003 CMP Media LLC