Yesterday saw the release of segment seven of the NewsForge's series on system administration. You can read part six here.
There are many ways to accidentally open security holes into your servers and network, but none are more preventable than the ones that you yourself will inadvertently open. Examples of these include using Telnet instead of SSH, sending valuable system information in plain text emails, and not using SSL encryption on sensitive Web-based applications. As a general rule, always assume that encryption is a good thing.
VII. Thou shalt use encryption for insecure services
Believe it or not, security-related information can often be found in plain text floating around your network. I invite you to plug into the gateway to your network and capture traffic. At your leisure, go through the traffic and follow what you can follow. If you haven't stressed the implementation of various encryption mechanisms within your servers and network, you're likely to be shocked at what you will find. If you're using Ethereal, look for a Telnet session and then select "Follow TCP stream." You'll see the entire Telnet session, login, password and all, naked to the world. The same goes for logins to internal Web pages that are not encrypted with SSL. If you add a wireless network into the equation without encryption, your troubles triple. Now malicious people don't even need to physically be plugged into your network to catch valuable information.
