Rupert Goodwins' Diary

Monday 16/06/2002

KPNQWest corporate anthem: Nearer My God To Thee

Last week's musings about the security aspects of AOL's client software have prompted reader Ben Last to report on the tribulations of having this hunk of code on your network. In short: don't. The software creates its own virtual private network (on port 5190, IP fans) with the AOL servers, and sends all the email, Web traffic and instant messenger stuff through that. This bypasses any and all proxies, filters, site blockers, inline virus scanners, Web traffic analysers and so on -- the entire armoury of network security. If you open port 5190 to AOL, you're in effect opening anyone running the AOL client to the full range of Net attacks.

That would be bad enough, were it not for AOL's Instant Messenger history of vulnerabilities to overflow attacks and the AOL client's somewhat interesting approach to session cookies.

"Let's not dig further," concludes Ben, "It's too depressing".

It is. If you're responsible for maintaining network security, you must ban AOL's client and make sure port 5190 is closed. I think it's as simple as that -- which is a pain, as I use the client at home and at work, but I can't see any way around it.

Now, if AOL had a less autocratic approach to providing services it might be a different matter. As it stands, we have a classic case of a product designed for stand-alone computing evolving into a monstrous mistake in a network environment.