bill’s blog

A bastion host is a computer on the internal network that is intentionally exposed to attack (vconlinecourses.com, 2009). The host may be internal to your network but it is also forward facing. It is intentionally placed in ‘harm’s’ way, exposed so that the hosts that actually provide the service can remain protected. The Bastion host provides a layer of protection that other devices such as a firewall or an intrusion detection system do not… It is the focus of attack. A firewall should provide rules that keep the attacker at bay while the IDS will warn and in some cases thwart attacks. BUT the Bastion host WILL be attacked. It’s only a matter of time.

Just because the Bastion host doesn’t mean that it should be put out there unprotected. The host still needs to be hardened! There are many things one can do to protect the Bastion host.

DMZ

Putting all of your Bastion hosts into a protected network is your first line of defense. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder was to succeed (wikipedia.org, 2009). At no time should a Bastion host have direct access to your protected resources! Internal (or protected) computers should only have access out to the Bastion host. As part of properly configured DMZ, routers/firewalls must be configured with ACLs (or Access Control Lists) so that only those events you (as the administrator) deemed acceptable are allowed to happen. Destination and source addresses need to be evaluated and rules need to be set in place to allow or deny access. Additionally, services ports need to be looked at as well. It may be acceptable for a source address to access port 80 (http) but not port 22 (ssh).

OS & Patches & ACLs

One thing to keep in mind when running a Bastion host is the box itself needs to be hardened. The OS needs to be kept up to date. Many vendors progressively secure their OS through security update. This may or may not be the right move. Vendors often roll multiple fixes into their updates… Sometimes it’s best to compile your own binary to install thus addressing the one service that may be affected by the vulnerability. Services that are not being used by the host should be disabled (or better yet) not installed… certain OS’s provide for this (Linux) others don’t (Apple). If the host has a host based firewall… turn it on configure it… block services that must run but could compromise the safety of the host. Secure the box through the use of ACLs (both user based as well as service based). It is usually up to the system administrator to determine through testing what ACLs they need to modify to lock down the network application as thoroughly as possible without disabling the very features that make is a useful tool (sans.org, 2009).

Base-lining

Tools like Tripwire and Nessus all play a part in base-lining your system. Tripwire is an excellent tool for determining the state of a file system. In broad strokes, it does this through the use of MD5 checksums. In theory, no two files (or disk images) will have the same exact checksum. Any changes, will result in a different checksum being produced. File integrity monitoring helps IT ensure the files associated with devices and applications across the IT infrastructure are secure, controlled, and compliant by helping IT identify improper changes made to these files, whether made maliciously or inadvertently (tripwire.com. 2009). So if an administrator, runs md5sum against a file system and then goes back a week later, if the checksums don’t match either he’s not on top of change control OR the system has been compromised! Nessus is a penetration-testing tool. In the case of Nessus, it looks at a database of know vulnerabilities and compares them with versions of software running on your host. When it finds a version of software running on your host that has been compromised, it will alert you to that fact. Should you find a software defect on your system it is imperative that you address the vulnerability through OS or patching and re-baseline.

Log Files

Syslog servers and log analyzers play an important role. Network monitoring solutions fit into this category as well! Logs are a vital part of understanding how your system is running. During the course of a few days or weeks massive amounts of information can be collected. Log files can tell you who tried to log in and when (or perhaps more importantly who failed to log in). It can tell you which files were accessed and by whom! It can tell you when a binary is having problems, either through miss-configuration or perhaps a bug (Heese, 2009). A wonderful tool for analyzing your data/log files is Splunk. It’s fast and allows you the ability to drill down through your log files in a very intuitive manner. Splunk can be configured to send alerts when certain criteria have been met. Sure you could do all this through shell scripts BUT you’d only be looking at the log files on one host! Because Splunk has the ability to act as a warehouse for all you system logs to can be set to look at multiple events across various systems and when combined can give you a true picture of your network/hosts.

Summary

You don’t become strong if you don’t learn! Systems that are exposed to the world need to be monitored. If you don’t, compromises will happen and you may not even know about it. A compromise host is not a matter of ‘if’ but rather ‘when’. Learning how your host was compromised can lead to better methods of securing it. Why leave it unprotected. Monitoring systems are essential to the well being of your systems. Why not take advantage of these automated systems. Spend the time to tune them. The more effort you put into it, the better the result will be, and the less false positives your IDS will flag! Know when an event is happening puts you back in control!

Resources:

Dillard, K., (2009), Intrusion Detection FAQ: What is a bastion host? Retrieved on March 16th 2009 from http://www.sans.org/resources/idfaq/bastion.php

Heese, B., (2009, March 11), Log Management, Retrieved on March 17th 2009 from http://weblog.randomdog.net/?m=20090312

Unknown, (2009), Bastion Hosts, Retrieved on March 17th 2009 from http://www.vconlinecourses.com/ec/dcs/DocView.learn?CourseID=3272624&47=5440807&dt=3%2F17%2F2009+9%3A06%3A50+PM&DocID=18645971&DocCollab_PK=19010583&Name=%22Bastion+Hosts.pdf%22

Unknown, (2009), File Integrity Monitoring with Tripwire, Retrieved on March 17th 2009 from http://www.tripwire.com/solutions/security/file-integrity-monitoring.cfm

Various, (2009, March 11), DMZ (computing), Retrieved on March 17th 2009 from http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

Or Service Level Agreements are meant as a way to set the rules of the game. The game being, you (the customer) are buying a service from someone that has knowledge to help when you need it the most. Needless to say the more money you put up… the better the service you will be provided with. Wikipedia describes it like this:

The (expert) service provider can demonstrate their value by organizing themselves with ingenuity, capability and knowledge to deliver the service required, perhaps in an innovative way (Wikipedia.org, 2009)

WOW… sounds like a tall order! And it can be. But then again you’re paying for it so why not.

BUT… What if the provider hides behind heir SLA’s? Say for instance… you have a two-hour call back window? Can you ever expect to get a call before the SLA times out? Does that mean every time you call in, the provider waits the two hours before calling back? What if the problem is on going? Does it mean that every time you respond to one of their questions you have to wait another two hours? Where does good customer relations come into play? What do you think?

Various, (2009, March 13), Service level agreement, Retrieved on March, 16, 2009 from http://en.wikipedia.org/wiki/Service_level_agreement

One of the most important tools that any systems administrator has at their deposal is their system’s log files. Unfortunately these files are often overlooked, forgotten or worse yet ignored. However, they contain valuable information! Log files can tell you who tried to log in and when (or perhaps more importantly who failed to log in). It can tell you which files were accessed and by whom! It can tell you when a binary is having problems (either through mis-configuration or perhaps a bug). The point is the information is there. Having the time to go through these files is something that is in short supply. One could always grep the files where they think the problem may have been captured, but this is still a very manual process.

Most hosts are configured to log their file to a centralized directory or one configured by the service that is generating the logs. While this is great for checking on the overall health of a single system it can’t provide you with the global picture. This is where log management tools come into place. Simple syslog servers collect the logs and manage them centrally and may offer some basic reports. Collecting syslogs on a centralized location also adds some security in so far as the log files are stored off of the host generating them. This prevents hackers from altering the log files to hide their presence.

So… What tools are out there?

Syslogd is available on most *NIX systems. Making it available to other clients is a pretty straightforward process. But these daemons really don’t allow for the analysis of the data you collected. This is where Splunk comes into play. Splunk’s software is a specialized data-mining and search tool that digests log files and organizes information so administrators can see how a particular event affects different programs (cnet.com, 2005).

SO what can Splunk do?

Splunk’s claim to fame is that it indexes all your data and you can use those indexes to search across all your data. It normalizes your data…  Different time formats are no longer and issue. Search through data files is as easy as typing an error code into the search field. This will return all results from all hosts that you are monitoring.

Sure you can do a lot of what Splunk does by simply grepping log files but once the results are published you can click on any of the indexed data and drill down narrowing your search with each click! Splunk allows you to generate reports from your data sets… such as showing the search results of ‘root’ and ‘auth’ over time. Simple… yes I know! Splunk can also send out alerts that can be scheduled. These alerts can trigger shell scripts, generate RSS feeds or email messages. It is a feature rich tool and the website has a lot of useful demos and white papers. For more information see http://www.splunk.com/

To log or not to log?

Sometimes it’s not a question if you should set up a syslog server… sometimes is mandated. Regulations, such as SOX, PCI DSS, HIPAA and many others are requiring organizations to implement comprehensive security measures, which often include collecting and analyzing logs from many different sources (wikipedia.org, 2009).

Got Ya!

Some things to be aware of… the logs files are sent cleartext. This may be considered security vulnerability. Newer versions of syslogd are incorporating SSL support to overcome this shortcoming! Data can be sent via TCP but more likely UDP, so if you’re using host-based firewalls it’s important that you open the right ports.
Syslogs are only one part of a network monitoring solution but when combines with other tools they can quickly give System Administrators the information they need to correct the problems they come across!

Resources:

Various, (4 February 2009), Syslog, Retrieved on March 7, 2009 from http://en.wikipedia.org/wiki/Syslog
Shankland, S., (2005, August 8), Splunk delves into log-search automation, Retrieved on March 7, 2009 from http://news.cnet.com/Splunk-delves-into-log-search-automation/2100-1012_3-5824127.html

Setting up a VPN (or Virtual Private Networking) does not have to be difficult. In fact using Apple’s OSX, it can be down right easy.  VPNs should never be taken lightly. IT is the door to your protected network. If they’re not set up correctly it could leave you and your network assets at risk. There are two main types of VPNs that on can implement on OSX server, PPTP and L2TP. There are pluses and minuses to each and depending on how you/what you’re looking to support will determine which implementation you will use. It’s interesting to note that neither of the two mentioned VPN protocols provide encryption. They are considered tunneling protocols and thus need to rely on other methods to provide the encryption.

PPTP – Is the older of the two most popular tunneling protocols. It relies on either on either MSCHAP-v2 or EAP-TLS for authentication. Additionally, Apple has built in support for both Kerberos authentication and RADIUS. PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt the data that passes through the tunnel. Originally MPPE was only offered with support for a 40bit key. It was later expanded to a 128bit key!

L2TP – Is the newer comer, its latest version (RFC 3931) having been published in 2005. L2TPv3 makes use of IPSec for securing the connection. This is preformed through the use of pre-shared secrets, symmetrical keys or digital certificates. As with any secure connection the hardest part of maintaining the SA is the managing of the keys used. However, once the first connection is made and security confirmed. The passing of pre-shared secrets, keys or digital certificates becomes trivial.

NOTE: It should be noted that that PPTP and L2TP are not the only players in the VPN game. There is two other methods as well, PPP Over SSL and PPP Over SSH.

Configuring your server

Open Server Admin and select the host you wish to administer. Select VPN and click save.

Figure 1. Services Activation Pane

Turn down the triangle to reveal the VPN configuration pane.

Configuring L2TP Settings

It is as this point that you can decide which tunneling protocol you’re going to support. Setting up the server is pretty simple. Select the check box to enable L2TP. You need to allocate an IP range (remember this is still a point to point connection). Under PPP Authentication select if you want to use the built-in Directory Service plug-ins for user ID and password lookups (you can also chose between MS-CHAPv2 or Kerberos) or point the VPN service to look at a RADIUS server for authentication lookups. Lastly, you need to specify whether you want to use a pre-Share secret or a digital certificate for IPSec Authentication.

Figure 2. L2TP Configuration Pane

Configuring PPTP Settings

If you need to support older VPN clients PPTP may be a better choice for you. Many experts still contend the PPTP is vulnerable to compromise but with anything else strong passwords make for strong security. Depending on the client that you need to support you may need to allow 40bit encryption keys. This should be avoided if at all possible as 40 bit keys are easily cracked.

Figure 3. PPTP Configuration Pane

Configuring Client Information Settings

Lastly, you need to “tell” your clients about the network they have just connected to. This could be done on the client side, and may be desirable is some situations. In a lot of ways this is very similar to setting up a DHCP server.

NOTE: If you are running DHCP on the same subnet, make sure that the allocated IP address ranges do not conflict!

Figure 4. Client Information Settings

NOTE: If no information is added to Network Routing Definitions all traffic is routed through the VPN connection. This may not always be desirable. If bandwidth is a concern, define a network that is private and force all non-private traffic over the client’s Internet connection.

Ports on your Firewall

One thing you must make sure to perform before your VPN will work is to open the required ports on your firewall. Both protocols make use of different ports can it can be confusing which ports are actually needed. Not just on the host (if you’re running IPFW on the host) but on the network perimeter. So what ports are used?

500       UDP      ISAKMP/IKE
1701      UDP      L2TP
1723      TCP      PPTP
4500      UDP      IKE NAT Traversal *

* NOTE: Port 4500 is also used for Back to My Mac (MobileMe, Mac OS X 10.5 or later)

In Mac OSX Server 10.3 the VPN service uses the following:

1.    PPTP uses the IP-GRE protocol (IP protocol 47).
2.    L2TP/IPsec uses the IP-ESP protocol (IP protocol 50, ESP).

Resources:
http://manuals.info.apple.com/en_US/Network_Services_Admin_v10.5.pdf
http://support.apple.com/kb/TS1629

I seems that no matter where you go on the web you’re asked to register!

“Please enter last name, email address, your favorite pet, the name of your first born…”

The Internet provides an extremely easy way for companies to collect massive amounts of personal data. Not only are web sites asking for more and more personal information, but it seems that every credit card company that calls is asking for personal information that has yet to be previously disclosed.

“How do they know my mother’s birthday?”

The problem is how are companies safe guarding this information. Unfortunately, TJX and the VA have been poster children for the careless disclosure of very sensitive data. This leads to some very interesting questions… Is the collection of fair benign data any less important than Social Security numbers for credit card account numbers? One thing to keep in mind is that there is a fine line between gathering information that can indentify you in the future from invading your privacy.

So what can you expect?

In May of 2000, the Federal Trade Commission presented to Congress a report Privacy Online: Fair Information Practices In The Electronic Marketplace. This is the third report the commission presented to congress and within this documents the FTC reiterates four key legislative suggestions (ftc.gov, 2000):

1. Notice - Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect i
2. Choice - Web sites would be required to offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided
3. Access - Web sites would be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information.
4. Security - Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers.

The Federal Trade Commission recognized the need to protect consumers as consumer confidence in the self-regulation of the sites was lacking and the need for government regulations were needed. The legislative recommendations set forth in this document were to build on/supplement the 1998 Children’s Online Privacy Protection Act (or COPPA).

Where are we today?

So let’s take a look at Apple’s Online Privacy Policy.

Notice – Apple provides a link at the bottom of the home page of the web site. The link is located next to the sites copyright and terms of use. So to that end it’s conspicuous (the end user doesn’t have to search around for the site’s privacy policy). The second heading of the policy clearly states what information they collect and how they may use it. Apple delineates why they ask customers to use an Apple ID, what information may be collected in association with the ID. One important thing that Apple points out is any publically posted information that is posted to its forums is public information. Be careful what you post!

Choice – Apple does disclose how the information it collects on you is shared. They claim they do not share (bought or rented) collected information with outside marketers. It does share your information with strategic partners… for example it will share information with AT&T regarding the iPhone you purchased. Interestingly, it does say that they will disclose your information if they determine that for national security, law enforcement, or other issues of public importance, disclosure is necessary (apple.com, 2007). One thing to note… The policy doesn’t go into any detail on opting out of sharing your personal information.

Access - Apple does disclose how you can view and change the personal information that you have provided. They have a web page dedicated to changing your information. It should be noted that your will need an Apple ID to change the information Apple has collected. It is interesting to note that you originally provided this information to Apple. Information that is stored and can be changed includes: Passwords, security questions, your home and shipping addresses as well as phone numbers.  This may not be all the information that Apple has collected on you. Apple does keep track of credit card numbers… This information cannot be gotten to on this page! Additionally, you can opt in or out of various Apple mailings.

Security - Apple does disclose how it goes about protecting your data. Apple states that it safeguards your personal information against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration, and destruction (apple.com, 2007). Apple does adhere to COPPA. Apple’s Online Store and iTunes Music Store uses SSL to protect your personal information while in transit over the Internet.

Other Interesting Information!

Apple does go into some length on various other bits of technology that it uses to track you. They use cookies. This should come as no surprise as most highly developed websites make use of this technology. They do disclose some of the information they track through the use of cookies. They do have a webpage that details how you have disable the use of cookies. They do make mention of information that the web server collects by default in its log files. Apple does state that this information does not identify individual users. While this is true… Apple could use IP address information to gather information on the household that their website was access from. Apple does make use of “click-through URL” and Pixel Tagging. Apple can target individuals with the use of this technology. They can determine who came to the website based on information they have embedded within the URL.

Summing Things Up!

One thing to keep in mind… Much of the information that companies gather from you online is provide by you. (Though there are technologies that can disclose private information without you know.) Be careful of the information you provide. Understand why a company is asking for the information they are looking for. I hate having to provide my birth date… Surely companies can find better ways for me to prove who I am… OpenID anyone!

Resources:

Federal Trade Commission, (2000), Privacy Online: Fair Information Practices In The Electronic Marketplace, Retrieved on March 7, 2009 from http://www.ftc.gov/reports/privacy2000/privacy2000.pdf

Apple Corporation, (2007, June 29), Apple Customer Privacy Policy, Retrieved on March 7, 2009 from http://www.apple.com/legal/privacy/

There is a plethora of password cracking tools out on the Internet. New ones come… and old ones become obsolete and fade away!
The theory goes it is computationally infeasible to discover the input (password) of an MD5 hash (or any strong hash) from the hash itself. So what password crackers do is hash a bunch of words (millions) various different ways (like substituting the number 4 for an upper case A or the @ for a lower case a) until they come up with a hash that matches what they are looking for. To make this process faster lookup tables are put together in such a fashion that hashes are matched to passwords. All the computer needs to then do is compare the input hash with the hash in the lookup table. This is much faster than having the computer compute the hash and then compare it.

One technique that produces stronger hashes is the use of salt. MD5 hashes will always produce the same hash if nothing else acts on the generation of the hash. (How’s that for a tongue twister?) SO for example, given the password of ‘ussfreedom0305’, the MD5 hash will yield ‘a8ff0961f5d6cee3da0c06db83a9eec5’. It doesn’t matter which Generator you use, the results will be the same. However, if one were to introduce random bits of data (salt) into the generation of the hash it will always result in a unique hash. This now makes it computationally infeasible to grab a password from a salted hash! Two users will have two different salts and thus given the same string of characters (password) they will both be different. No in order for a password cracker to work… They’d need to compute the salt in addition to the password string.

John the Ripper

Is a true password-cracking tool! The nice thing about this tool is that it can crack MD5 passwords. In addition to MD5, John the Ripper will work with on DES based crypt password, Blowfish based passwords, NTLM hashes and SHA-1 hashes! John the Ripper is a dictionary-based cracker. One can use many different dictionaries including pre-cracker wordlists to expedite the crack! Those not looking to spend the extra money for larger dictionaries, a large multilingual wordlist optimized specifically for use with John the Ripper (4,106,923 entries, 43 MB uncompressed) is included in the package (openwall.com, 2009).

John the Ripper can be found at http://www.openwall.com/john/

Cain and Abel

Insecure.org maintains a list of the top 10 password crackers. The list is old but some of the tools are really good. Top on their list is Cain and Abel… and boy do I wish they had this program for the Mac. It’s not only a password cracker it’s an all purpose ‘pen-testing’ application.  Some of Cain and Abel’s functionality includes a network sniffer, a password cracker (both for passwords captured out on the network and from a file), and a WEP key cracker. It can perform ARP cache poisoning. It has a RSA SecurID Token Calculator. It goes way beyond mere password cracking!

Cain and Abel can be found at http://www.oxid.it/cain.html.

THC-Hydra

THC-Hydra is a brute-force network login password cracker. In other words, it tries many different passwords until it comes across one that works. Brute-force attacks can be performed offline or online. Offline attacks can occur when the attacker has obtained a known good hash. This is in many ways similar to a dictionary attack. The only difference is that it’s not using dictionary words but rather mathematical combinations to get the password. Online attacks of which, THC-Hydra, is an excellent tool for, the attacker tries to authenticate against the host itself.
Currently, THC-Hydra supports that brute forcing of the following protocols:

TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY, LDAP2, LADP3, SMB, SMBNT, MS-SQL, MYSQL, POSTGRES, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA (darknet.org.uk, 2007)

There are many more risks/problems associated with this type attack. First failed attempts are logged (very often with the IP address from which the attack was performed from). Next, and good password policy would expire an account after a certain number of failed attempts. Lastly, if strong password policies are not in effect, hopefully the server will increase the amount a time before another attempt is made at logging in.

THC-Hydra can be found at http://freeworld.thc.org/thc-hydra/

Wrap Up

The thing that needs to be understood about all these tools is that they are branded as security testing tools (to test how security a system may be) or a demonstration tools (to show how easy weak passwords are cracked). Either way, they can be turned from there good intentioned tools to devices of the malcontent. If you are going to use them in your environment make sure that you get written documentation from your superiors before working with them.

Resources:

Unknown, (2009), John the Ripper Pro password cracker for Mac OS X, Retrieved on March 6, 2009 from http://www.openwall.com/john/pro/macosx/

Darknet, (2007, February 14), THC-Hydra – The Fast and Flexible Network Login Hacking Tool, Retrieved on March 6, 2009 from http://www.darknet.org.uk/2007/02/thc-hydra-the-fast-and-flexible-network-login-hacking-tool/

First of all we should all know by now that FTP is not the most secure protocol there is. UserIDs and passwords are passed on the wire as plain text. So my approach to finding ftp was to use Google and as a search string I entered inurl:ftp. This yielded 23,400,000 hits.

ftp://ftp.porcupine.org/pub/security/index.html

This site belongs to Wietse Venema. Those of you who are not aware of Wietse Venema is the author of Postfix… one of the most popular MTAs (or Mail Transfer Agents). Additionally he is the author of a number of security related applications, SATAN and The Coroner’s Toolkit are just two of them.  Interestingly enough his web presence is run via the ftp protocol. So technically it isn’t a web site. The site is used to distribute all of the above-mentioned applications including a few others not mentioned. All of which he has worked on! These are applications that we are UNIX administrators should be aware of, if not use on a regular basis.

Next stop back to Google… The search string inurl:ftp. inurl:mil yielded about 9,250 hits… much less BUT a bit more interesting. This time instead of using a browser to access the site I chose to use an FTP client. My choice… CyberDuck!

ftp://ftp.nga.mil

This site seems to be dedicated to the transfer of GPS and flight plan documentation. I was able to find data air traffic routes in China:

ftp://ftp.nga.mil/Aero-esfd/TO_ST_LOUIS/HAWAII/ChinaAIP Sup 08_004 (Atch)/315.jpg

OR how about Swedish Armed Forces Jeppesen approach charts?

ftp://ftp.nga.mil/Aero-esfd/TO_ST_LOUIS/GERMANY/SWEDEN MIL CL2 SUP 6029-6032 OF 2009.pdf

It seems someone in this organization is using a Nortel Ethernet Routing Switch 8600 using Software Release 4.0.3.2. This could be of interest to someone profiling this site.

ftp://ftp.nga.mil/pub2/unltest/p80rn4032.pdf

BUT of interest to me was I could upload to /pub2/giat_files/incoming. Now I must say that the directory was set up as a drop box so it could not be exploited as a warz site. As for the rest of the directories on this site permission were set so that one could down load or enter more interesting directories.

FTP can be a valuable tool. But care must be taken to secure the site as much as possible.  We use FTP to transfer files to different parts of the organization. While some of the sites are external to the company many are not! They are located behind our corporate firewalls. They are protected with firewall rules on the host itself… only certain sites have access to the manufacturing drawings, as not all individuals within the company need access to them. Where the sites are external other protocols are used sftp for one.

People need to be able to transfer data from one part of the organization to another. The mail system is NOT designed to handle the load of constant file transfers. Not only that but individuals that do transfer files via email inevitably use there inboxes as a filing cabinet for these emails.

“Oh, I need to keep this file for future reference!”

This creates problems for the email and helpdesk technicians. They have to warehouse these files and depending on governmental regulations. This could create a storage nightmare, as the files need to be kept to extended periods of time. Rebuilding users inbox is the bane of any administrator’s day!

“Why can’t they archive off these emails?”

The collection, storage, and distribution of data file is no going to go away anytime soon. With today’s push for greener IT, I fear the storage demands will only grow. One must find a method to centrally organize these assets to avoid duplication of resources. A side benefit of central storage is the ability to better control the accessibility to these files. While I’m not sure whether or not those documents at ftp://ftp.nga.mil were for public distribution, its probably safe to say that some of the materials up on that site could be used for other than there intended purpose. If you’re going to put your assets out online better protect both the host and the files they contain!