To those who rant "never" - I suggest that the requirements for any
firewall, and
whether to allow any protocol including ssh depends on your particular
circumstances,
access requirements, data requirements, and degree of trust.
Let me pose a situation:
A small business office, or a small satellite office which requires access
to the internet,
limited remote user access from the Internet, and of course protection from
unwanted
intrusion from the Internet. Now add in your requrement for remote
administration (many miles away).
How else do you implement the situation? Other VPN software? Travel? More
staff?
Long distance phone/authenticated modems? More $$?
SSH is a very useful tool.
Many also brought up the point that firewalls don't protect against tunnels
on SSH or any port/protocol.
For bigger corporate intranet gateways let me ask: Would it mitigate this
risk (or be possible or practical)
to set up SSH proxy service at the Internet gateway so that remote users
use SSH across the
Internet to a gateway host to authenticate then traverse the DMZ and
firewall unencrypted so
that whatever rules, application proxies, and auditing are implemented are
performed in full force?
I have supported similar configurations for Telnet and FTP proxy servers.
Would this approach expose the SSH key files on the more vulnerable gateway
host?
--Dave
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
