2000-04-20-15:14:08 Mark E. Drummond:
> I love ssh. Use it all the time.
Likewise.
> It also defeats the security of the firewall.
I disagree, completely.
> A "legit" user can pass _any_ traffic they want through ssh, even
> if that traffic is normally denied by the firewall.
Yes. If, of course, ssh is allowed through the firewall.
So ssh doesn't defeat the firewall; it simply limits the firewall's
ability to enforce certain kinds of policies. You can't let hostile
users have ssh permission through a firewall; outbound ssh is
trivial to escalate into a general inbound tunnel for anything. You
can't allow ssh if you intend to use your firewall as the only
mechanism to prevent your users from doing things that they want to
do.
Sometimes, though, you don't have hostile users on the inside.
And sometimes the only restrictions you try and place on the user's
activities are backed by a security policy, which the user has
signed, violation of which is grounds for terminating their access
(or worse).
Nearly _any_ protocol can be abused to circumvent controls on a
firewall; people have done it with smtp and with http, with dns,
with ICMP echo, etc. ssh is just easier to abuse and harder to
detect than some of the others.
These aren't problems unless you have hostile users on the inside.
If you do, then blocking ssh may be necessary, but not sufficient;
you'll also need to analyze detail logs on all other sorts of
traffic to detect anomalous patterns associated with deliberate
abuse.
-Bennett
PGP signature
