Policy for Authenticating University of Chicago Users
Technologies for Securing Remote Access to Systems
There are many different ways to secure remote access to a system. Below we have a list of some of the different options that are available.
Some of these mechanisms encrypt the all the data being transferred across the network while others protect only the authentication. If your data is sensitive or directly related to University business, you should seriously consider encrypting all of the data and not just the authentication.
Unless you are using an application which requires a lot of bandwidth, most computers can easily handle encrypting all data transferred over the network without causing major performance problems. If you are using a high bandwidth application you might want to consider purchasing a crypto accelerator card for your server to allow it to encrypt all of its data.
- Web Pages
- Unix Logins
- File Transfer
- Remote Administration of Microsoft Windows
- Remote X-Windows
- Miscellaneous Technologies
- Kerberized IMAP
Many IMAP servers, including the University of Washington's IMAP server support Kerberos V for authentication. Kerberized IMAP protects the user's Kerberos password by never sending it over the network. Kerberized IMAP does not encrypt the session. - IMAP-SSL
The University of Washington's IMAP server, as well as others, support SSL. SSL has the advantage that the mail transferred between the server and client is also encrypted. Please note, however, that the mail is generally not encrypted when it is sent between servers, only when it is being read. The user's password is sent over the network encrypted. - Kerberized POP
Qualcomm's Qpopper supports Kerberos authentications. - POP-SSL
Many POP servers support SSL, which provides strong encryption of both the password and the data transferred between the client and server.
Web Pages
- SSL (https)
SSL is the Internet standard mechanism for encrypting access to web pages. Many web servers, including Microsoft IIS, Apache with the mod-ssl module, iPlanet, and The University will sign certificates for servers on the its network with a CA signed by CREN.
You may also get a certificate signed by a commercial trust company such as Thawte or Verisign.
Unix Logins
- The Secure Shell (ssh)
The Secure Shell is a program designed as a replacement for rsh with strong encryption. Depending on the version and configuration, it can either use Kerberos or standard system passwords for authentication. It has the added advantage that under Unix systems it will set up a secure X Windows tunnel to encrypt X traffic.
The two most popular Ssh servers are SSH Inc. and OpenSSH. - Kerberized Telnet/Rlogin
MIT's Kerberos includes with a Kerberized telnet daemon and a Kerberized rlogin daemon. Both of these use Kerberos for the authentication and have the option of encrypting all data sent over the connection.
File Transfer
- Sftp
Most modern versions of the Secure Shell (see above) include sftp, an ftp-like program for transferring files which encrypts both the user's password and the files that they are transferring. - Kerberized FTP
MIT's Kerberos includes a version of ftp that uses Kerberos for authentication and can optionally encrypt the data transfered.
Remote Administration of Microsoft Windows
- Microsoft NetMeeting
Microsoft's NetMeeting can be used for remote administration of computers and provides for encrypted sessions. You must explicitly configure it to encrypt the data using 128 bit encryption. - Remotely Anywhere
Remotely Anywhere is a program which allows remote access to a Windows desktop through a web browser. It uses SSL for encryption. - PC Anywhere with SSL
Cygwin provides a bunch of Unix command line utilities for Windows. One of these is a copy of OpenSSH. This can be run as a service to provide command line logins to a Windows computer. - VNC over a SSH Tunnel
It is possible to use combine it with SSH to create a secure tunnel.
Remote X-Windows
- Secure Shell
The Secure Shell under Unix will, by default, create a secure tunnel over which X-Windows traffic will travel. All X-Windows traffic will be encrypted.
Miscellaneous Technologies
- Stunnel and sslwrap
Stunnel and sslwrap are Unix programs that are designed to put a SSL wrapper around a service which would otherwise be unencrypted. In general, they are used in the inetd.conf in a very similar way to TCP Wrappers. - IPSec and VPNs
IPSec is a protocol which is designed to do strong encryption at the IP layer. Using IPSec all traffic between two or more computers can by encrypted. This is particularly useful for legacy software which does not have internal support for good encryption of any kind.
IPSec, however, is fairly complex to configure and setup. There are IPSec implementations for many operating systems, including Windows 2000 and most Unix-based operating systems.
Return to Policy for Authenticating University of Chicago Users
Last updated: 6/27/08