-----BEGIN PGP SIGNED MESSAGE-----
SSH to a box which acts as a gateway, but users do not have direct access
to the programs on it does satisfy the concersns i have about it. (users
are not going to be able to override the SSH settings.)
If I really need encrypted communications I setup a VPN (possibly even
using SSH _to_ the firewall, just not _through_ the firewall)
David Lang
On Fri, 21 Apr
2000, Dave Smart/DEF/CSC wrote:
> Date: Fri, 21 Apr 2000 11:25:24 -0400
> From: Dave Smart/DEF/CSC <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: ssh defeats the firewall
>
> To those who rant "never" - I suggest that the requirements for any
> firewall, and
> whether to allow any protocol including ssh depends on your particular
> circumstances,
> access requirements, data requirements, and degree of trust.
>
> Let me pose a situation:
> A small business office, or a small satellite office which requires access
> to the internet,
> limited remote user access from the Internet, and of course protection from
> unwanted
> intrusion from the Internet. Now add in your requrement for remote
> administration (many miles away).
> How else do you implement the situation? Other VPN software? Travel? More
> staff?
> Long distance phone/authenticated modems? More $$?
> SSH is a very useful tool.
>
> Many also brought up the point that firewalls don't protect against tunnels
> on SSH or any port/protocol.
> For bigger corporate intranet gateways let me ask: Would it mitigate this
> risk (or be possible or practical)
> to set up SSH proxy service at the Internet gateway so that remote users
> use SSH across the
> Internet to a gateway host to authenticate then traverse the DMZ and
> firewall unencrypted so
> that whatever rules, application proxies, and auditing are implemented are
> performed in full force?
> I have supported similar configurations for Telnet and FTP proxy servers.
> Would this approach expose the SSH key files on the more vulnerable gateway
> host?
>
> --Dave
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOQCBdj7msCGEppcbAQGPmwgApUdivEctp20U88+z9zxHNH69hQiGp/xI
7NkkTUAfR/FsVbyvDrBs4P7GOiZOaqNMkBwFnK6DHluTJy21B0++UysNT6WDDBvH
zgj2mpJ88msIkaDBkh0CGhRA+jN/yuDrilRFfpavFuGC3+36egtkRD60tMXOdTCx
IWhQ+X2/mMtsWv7uii9qz1vYQ0fDJFlZjm02R7xya2lZTdeCm/Piwmb6+1pTXezt
GtwksxpkRfmU7aaT6HwCDlK3bkzEwRyO4kMVPTWi+kiAJG3uOvhdO/sC0Nqpo4FL
5447a8I3q4ksYDxK0S30c5EwncCK+e5KgoCdSit3D1Oc+r9trIrzuA==
=Wnrc
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
