On Tue, 7 Sep 1999, Vincent Power wrote:
> Use ssh (ssh2 homepage at http://www.ssh.fi), to replace telnet.
He said he was going to use SSH, that doesn't necessarily completely
protect the channel though- i.e. there could conceivably be a way to
exploit the channel from the telnetd on the internal machines to
compromise the client on the external "firewall" or to compromise the
"firewall" or internal server from the client with OOB data or the client's
command prompt. A second instance of ssh probably wouldn't minimize much
more than the OOB issue, and that can be ripped out of telnet/telnetd
pretty easily along with the command prompt.
I would assume that if security is that important to the project, nobody on the
internal machines will be able to sniff or bypass privilige levels - a
much more difficult problem which really would rather have a
special-purpose OS or something like RSBAC.
FWIW- ssh2 requires a rather healthy license fee for most non-personal usage,
ssh1.x is still actively maintained and has a much less encumbering license if
it's non-commercial use versus use in a commercial environment but not
commercially.
Personally, I'd probably also add token-based authentication to the mix,
otherwise a compromised host that SSH's in means game over.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
