Re: ssh defeats the firewall

[David Lang]

-----BEGIN PGP SIGNED MESSAGE-----

I guess it could keep the connection open and keep sending get/post
requests for each character you are tryig to send. the ones I had seen put
more in each transaction so the result tended to be choppy

David Lang

 On Thu, 20 Apr
2000, aaron wrote:

> Date: Thu, 20 Apr 2000 13:43:34 -0700 (PDT)
> From: aaron <[EMAIL PROTECTED]>
> To: Firewalls <[EMAIL PROTECTED]>
> Subject: Re: ssh defeats the firewall
> 
> I beg to differ about your experience with http_tunnel.  I've used it
> before and it is as close to realtime as most people need.  I used both
> telnet and ssh with it without lag or problems.  The only extremely
> obvious part about http_tunnel is how long it leaves connections open.
> 
> - Aaron Schultz
> - [EMAIL PROTECTED]
> ------
>   /"\  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
>   \ /   ASCII Ribbon Campaign
>    X   - NO HTML/RTF in e-mail
>   / \  - NO Word docs in e-mail
> 
> 
> On Thu, 20 Apr 2000, David Lang wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > 
> > to answer the many comments about the ability to tunnel over other ports.
> > 
> > Yes, it is possible to setup SSH on port 80, but if you are tunning a
> > outbound HTTP proxy that is smart enough to only pass valid HTTP requests
> > this is no longer possible.
> > 
> > it is possible to tunnel through valid HTTP, mail, or anything that you
> > allow, but by not allowing SSH I raise the difficulty of doing this, avoid
> > providing the tools nessasary to do this, probably add to the
> > inconvieniance of doing this (telnet does not tunnel well through HTTP,
> > you can tunnel commands and their results, but it is not real-time
> > interactive) and as a result hopefully raise the bar high enough that
> > nobody bothers to go to that much work.
> > 
> > Even with a good proxy, allowing https provides a way to tunnel through
> > the firewall (if you tell the proxy what to do it will happily do it) but
> > again it is raising the bar a bit.
> > 
> > David Lang
> > 
> > 
> > 
> > On Thu, 20 Apr 2000, Mark E. Drummond wrote:
> > 
> > > Date: Thu, 20 Apr 2000 16:03:44 -0400
> > > From: Mark E. Drummond <[EMAIL PROTECTED]>
> > > To: David Lang <[EMAIL PROTECTED]>
> > > Cc: Firewalls <[EMAIL PROTECTED]>
> > > Subject: Re: ssh defeats the firewall
> > > 
> > > David Lang wrote:
> > > > 
> > > > 1. someone goes to the efort of getting the passwords and then finds an
> > > > application bug that gets them on the machine where they can use them (in
> > > > which case they may be getting on as root anyway)
> > > > 
> > > > 2. inside people useing SSH to tunnel stuff through that I have no control
> > > > over becouse "it's only for me and it's not really a risk anyway"
> > > 
> > > Interesting. I was considering simply limiting ssh traffic to and from
> > > defined administrative workstations on either side. But of course that
> > > denies my end-users the same protection.
> > > 
> > > What if a user was to bring up an ssh daemon on a port that was allowed
> > > through your firewall?
> > > 
> > > -- 
> > > Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
> > > UNIX System Administrator|Royal Military College of Canada
> > > The Kingston Linux Users Group|http://signals.rmc.ca/klug/
> > > Saving the World ... One CPU at a Time
> > > 
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.2
> > 
> > iQEVAwUBOP9bOT7msCGEppcbAQHHiAf/eGzYnj5m1eqGgseVL9jagdzIYGZKDfyi
> > JBB/6UOJnb/jb2w821/nRskRGfa0QRIexDI+sCsx2Fh6lwk6VJTy1VO03ZHQQto7
> > I+41vRllgnK5qamDyji5s9KQrKRO/DdgYcjrsSSGOj/41sy5avqKAF0123zrxahu
> > aIkMVqeaWhp6H6MI5B+q5XK++1X+Cw0LcSkus1ee8j6KFeFnEUvW0F4OPX2XjaN9
> > 6QPQxbOxPFHA9jRMhoDMUd+yROgMczoDRrh3CBYXwULeouqL+RMQUrjpqIZ/pWkT
> > WfdWa5yfYHKE+lRDmC27D8XYZtTSLVYiSOqUZ6WcV/2RRbmgc+t1XQ==
> > =5dzW
> > -----END PGP SIGNATURE-----
> > 
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > 
> 
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBOP97Zz7msCGEppcbAQHCVwgAq7o2WLVYIxlBbaR/3kT2MyDmNl60Jom/
I4iktWaJP378fBNA1fkk04siTpb2xKNfLbwnRnDh+eqljS8SFpMR5gXrkAH97i8L
WIGPkv9WMKRj2Dlx1EplXX+I8Nq8kOFdPurX7tZd4jB+8r+UU9POKThl0M+HblAi
HhrKgryiIN+f2vSaV80kUbiBsSno4k4KifTzuV7gffFkT8ON1HaaqT6A0mVrnoPn
GFS71oGacr2HUB7S2nKnGMkRKw4FZJ9APPs9QRKar8SykjDITFTLvR6eAtE4wJvs
jRQbhD0R4O+Ovz8JNdT6wY6MTzxBKT2548twd48SqJ/KqMB4/zOgDw==
=rJCm
-----END PGP SIGNATURE-----

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]