1999-11-16-20:01:07 Saxo Saxo:
> We are thinking of tunneling Telnet and/or VNC through SSH accross a
> firewall. One of the questions i have is as follows: once SSH is allowed
> through a firewall, how can you restrict what is being tunneled through
> it? Let's say I only want Telnet tunneled. I am advised that once you open
> up the tunnel, any protocol can flow through it and I would have no way of
> blocking that.
I've seen two settings where I like ssh or ssl tunnels through firewalls.
Ssh and SSL are wildly different protocols, but they share the critical
feature here: you can't see what's pouring through the tunnel.
One case tends to show up only in small organizations; if you really trust the
people inside the firewall to not do anything to compromise security, you can
allow out-bound-only tunneling. But as soon as you have enough people that you
want to assume they include saboteurs, and you want to strictly police them at
the firewall, then you have to forbid generally-available crypto tunnels.
That still leaves the other case, that's a wonderful building block in lots of
settings: restricted tunneling. Set up special-purpose tunnels, where uses on
one side of a firewall can only tunnel to a particular destination. I've used
'em for providing outbound-only access to DMZ machines for rendesvous between
companies, for sandboxing apps with lethally bad security, and so on.
-Bennett
PGP signature
