-----BEGIN PGP SIGNED MESSAGE-----
You hae to follow your sites security policy, I was able to succesfully
argue my point and convince management to allow a "crytal box" approach
(to steal the old TIS term :-) where the systems will be configured so
that they are safe, even if the bad guy does manage to get full copies of
our config, passwords, etc.
What I have is not perfect, it cannot be used, for example, by the
database folks who are dealing with real customer data as they do
troublshooting as the data would be able to be sniffed, but it does have a
huge advantage, in that as long as I have the ability to do the
one-time-password I can get in from any machine that has telnet, I am not
dependant on an outside box pre-loaded with the correct software/keys
being functional (One time where a laptop so configured got broken at a
time it was needed soured me on that idea)
David Lang
On Thu, 20 Apr 2000, Richard Noonan wrote:
> For me passing any administrative data in the clear is unacceptable
> and is prohibited by my employer. Were I in your situation I would be
> allowing ssh in/out to a specified internal host accessed by
> administrative staff only.
>
> -Rich
>
> On Thu, 20 Apr 2000, David Lang wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > for the commercial firewalls I use the provided tool, for the other
> > machines I use a one-time password to get through the firewall to them. It
> > isn't perfect (data can be sniffed), but I take the position that if I am
> > doing my job correctly it wouldn't matter if my root passwords were
> > posted, noone could get to where they could use them.
> >
> > This is a decision I made based on my perception of the relative risks
> > between
> >
> > 1. someone goes to the efort of getting the passwords and then finds an
> > application bug that gets them on the machine where they can use them (in
> > which case they may be getting on as root anyway)
> >
> > 2. inside people useing SSH to tunnel stuff through that I have no control
> > over becouse "it's only for me and it's not really a risk anyway"
> >
> > David Lang
> >
> >
> >
> > On Thu, 20 Apr 2000, Mark E. Drummond
> > wrote:
> >
> > > Date: Thu, 20 Apr 2000 15:38:06 -0400
> > > From: Mark E. Drummond <[EMAIL PROTECTED]>
> > > To: David Lang <[EMAIL PROTECTED]>
> > > Cc: Firewalls <[EMAIL PROTECTED]>
> > > Subject: Re: ssh defeats the firewall
> > >
> > > David Lang wrote:
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > >
> > > > This is exactly the reason why I do not allow SSH through the firewalls I
> > > > manage.
> > >
> > > So do you do remote management of your UNIX boxen? If so, what do you
> > > use?
> > >
> > > --
> > > Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
> > > UNIX System Administrator|Royal Military College of Canada
> > > The Kingston Linux Users Group|http://signals.rmc.ca/klug/
> > > Saving the World ... One CPU at a Time
> > >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.2
> >
> > iQEVAwUBOP9NJz7msCGEppcbAQE6iggAnEi5Hy5vSNe85OvQVdpVA8yuXYBASINr
> > Jkd6OzMjLFg1wGmeRq/Mn3nxluOV6b1bvcSPRUKK1tWa4T0KF5vfFMT0G8gR4sW0
> > NitqUmGKUw7RusdYghI1ZZjNgly7DuqiUfksGkj9dTFWqO8+A57eMUvHnqZN6afm
> > gGaLOOYlUWG2roWELLDZ2QTs8e31ZuwBah5OnndoCRszDiRK8+1JRj0jDhSPann5
> > rdTbt2j0K32rkK95nIogasO/keI1feK0mSPL/8rK30whWuH9fPO976rW48k2tfKv
> > pGEQbky62Gc4jJkhAxb/U8ZKJDiO7aBAjZE33bI/o8/c0lMLidND3g==
> > =uSjE
> > -----END PGP SIGNATURE-----
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> --
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOP9cwT7msCGEppcbAQHz3QgAljYlNRk0s+Lnhvb5pwIKH80cEMygsw8z
rL7i8I0KN1sWu7UurMMC1hENFYQWsIAjoNn5HPuItagVbuS/Qo8VcK4OgOx/Op5o
L3GRokPTJqfPVF3bQ4jz9MPLRYO+oB2ypcfPSzqZoF0cvoyeTzJpZBezFMSuqRRx
YDAOQMBGw03qqEPvXYEia953K33QZ+4kqOEzn+ShfouVUDxvbLzK2r4mH6zWH9Hz
c0rvMXuHuERZAGwxTjyYKjvtboI9XXSkyXl9XAPJ+Q7V4OXzO0W/gPc2WOjY592G
n2fNTn80AF+W1UNzoSSKAIOft+5qnGeAHQmJkmCWOgpAgeuUGv4NVA==
=4dEL
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
