Requirement for Encryption of Data in Transit

Below is ISC Information Security's technical interpretation of the requirement for Encryption of Data in Transit, per Computer Security Policy Statement of Policy 3.2 and Social Security Number Policy Statements of Policy 3.4.1 and 5.

6 months after policy approval

Protocol/ServiceSuggested Change
HTTP1 HTTPS
Telnet (unencrypted) SSH or RFC 2946
r* commands
(rsh, rcp, rlogin, etc)
s* commands
(ssh, scp, etc)
FTP scp, SFTP or FTPS
rsync tunnel using SSH or stunnel
MS SQL Server configure to use SSL or IPsec2
POPPOP + SSL/TLS
IMAPIMAP + SSL/TLS
SMTP from MUAs3SMTP + SSL/TLS
MAPI MAPI + SSL/TLS
Zimbra Outlook Connector Zimbra Outlook Connector + SSL/TLS
Unencrypted file exchangeSecure Share4

1 year after policy approval

Protocol/ServiceSuggested Change
MySQL upgrade to v5 & configure to use SSL/TLS5
tn3270tn3270 + SSL/TLS
Backups7 enable encryption

Only allowed within PennNet

1 year after such technology and service is recommended and supported at Penn

Protocol/ServiceSuggested Change
SQL*Net over encrypted channel (TBD)

Private Trusted Networks

Private trusted networks are exempted from requirements to encrypt high-volume services, if the performance penalty would be significant. For the purposes of this document, a "private trusted network" is a wired network:
  1. that is not routed on PennNet or the Internet;
  2. where all connected hosts are under the same administrative control; and
  3. where physical access to network jacks and hosts is limited to authorized administrators who comply with Statement of Policy 3.1.

Footnotes

1. including Web Services such as SOAP
2. http://msdn.microsoft.com/en-us/library/ms189067.aspx and http://msdn.microsoft.com/en-us/library/ms189067(SQL.90).aspx
3. see RFC 2476
4. http://www.upenn.edu/computing/security/secure-share/
5. http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html
6. http://support.apple.com/kb/TA22507?viewlocale=en_US
7. CommVault, DMC Legato Networker, Veritas NetBackup or BackupExec, Arkeia, Asigra Televaulting, Retrospect, duplicity, built-in OS or utilities, etc.