-----BEGIN PGP SIGNED MESSAGE-----
to answer the many comments about the ability to tunnel over other ports.
Yes, it is possible to setup SSH on port 80, but if you are tunning a
outbound HTTP proxy that is smart enough to only pass valid HTTP requests
this is no longer possible.
it is possible to tunnel through valid HTTP, mail, or anything that you
allow, but by not allowing SSH I raise the difficulty of doing this, avoid
providing the tools nessasary to do this, probably add to the
inconvieniance of doing this (telnet does not tunnel well through HTTP,
you can tunnel commands and their results, but it is not real-time
interactive) and as a result hopefully raise the bar high enough that
nobody bothers to go to that much work.
Even with a good proxy, allowing https provides a way to tunnel through
the firewall (if you tell the proxy what to do it will happily do it) but
again it is raising the bar a bit.
David Lang
On Thu, 20 Apr 2000, Mark E. Drummond wrote:
> Date: Thu, 20 Apr 2000 16:03:44 -0400
> From: Mark E. Drummond <[EMAIL PROTECTED]>
> To: David Lang <[EMAIL PROTECTED]>
> Cc: Firewalls <[EMAIL PROTECTED]>
> Subject: Re: ssh defeats the firewall
>
> David Lang wrote:
> >
> > 1. someone goes to the efort of getting the passwords and then finds an
> > application bug that gets them on the machine where they can use them (in
> > which case they may be getting on as root anyway)
> >
> > 2. inside people useing SSH to tunnel stuff through that I have no control
> > over becouse "it's only for me and it's not really a risk anyway"
>
> Interesting. I was considering simply limiting ssh traffic to and from
> defined administrative workstations on either side. But of course that
> denies my end-users the same protection.
>
> What if a user was to bring up an ssh daemon on a port that was allowed
> through your firewall?
>
> --
> Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
> UNIX System Administrator|Royal Military College of Canada
> The Kingston Linux Users Group|http://signals.rmc.ca/klug/
> Saving the World ... One CPU at a Time
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOP9bOT7msCGEppcbAQHHiAf/eGzYnj5m1eqGgseVL9jagdzIYGZKDfyi
JBB/6UOJnb/jb2w821/nRskRGfa0QRIexDI+sCsx2Fh6lwk6VJTy1VO03ZHQQto7
I+41vRllgnK5qamDyji5s9KQrKRO/DdgYcjrsSSGOj/41sy5avqKAF0123zrxahu
aIkMVqeaWhp6H6MI5B+q5XK++1X+Cw0LcSkus1ee8j6KFeFnEUvW0F4OPX2XjaN9
6QPQxbOxPFHA9jRMhoDMUd+yROgMczoDRrh3CBYXwULeouqL+RMQUrjpqIZ/pWkT
WfdWa5yfYHKE+lRDmC27D8XYZtTSLVYiSOqUZ6WcV/2RRbmgc+t1XQ==
=5dzW
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
