On Wed, 27 Feb 2002, Alvin Oga wrote:
>
>
> hi ya ron
Howdy alvin <smile>
>
> got me confused/worried now ... hummm...
>
> my understanding is the following...
> - from home(remote), we ssh into a gateway machine
> and than from it, ssh into local machines at the company...
>
> my understanding is that all traffic is encrypted...
> from "remote" to the "inside host" is still encrypted
> ( am not worried about temporary decrypting before passing it on )
>
> from
> remote# ssh ssh.corp.com
> than
> ssh# ssh inside_host
>
> if some [cr/h]acker gets into ssh.corp.com or the firewall
> than we're snoopable and a sitting duck... in which case there is
> bigger problems than just firewall/ssh/vpn issues
>
Yes, the DMZ system <ssh.corp.com> has to be hardened and monitored.
Hardened to rpevent compromise, and many folks tend to take earlier papers
and articles that DMZ systems are throwaways far too literally. This day
in age, with VPN;s and E-commerce and E-biz and such, this should not be
the case, these should be hardened systems with a specialized service
offered, with an IDS and I'd also recomend, a file integrity scanner run
onc or more times a day such as tripwire. DMZ systems are far more
important these days if for only the reson they tend to be what the
outside world comes to know as company.com. And a compromise of such
systems tends to not only cost time in fixing these systems, but also
costs in company reputation<s>. Take the NAI web servers that
[EMAIL PROTECTED] discovered with issues, and how poorly they responed to
the first posting he made resulting in his second posting on the same
hosts <Subject: Pgp.com was exposing ... information Date: Wed, 6 Feb
2002 and Date: Thu, 7 Feb 2002 To: [EMAIL PROTECTED] >. This
is besides the fact these systems, if compromised can be used to
infiltrate the inside systems in many cases and are almost always used to
poke and prod at other systems on the internet, which further serves to
hurt the attacked companies reputation.
but, the original point here is that you can better manage your own
policy by decrypting at the DMZ and then letting them inside then you can
by keeping all traffic encrypted. Unencrypted traffic can then be
managed by the rules in your firewall. If it's reencypted, it can't
be fully thus managed. Though your scenario looks better then some I've
seen and worked with...
>
> and nope... we dont "watch the contents of all the packets" ...
> - one particular customer's security policy is too silly
> that there is no point to having a firewall..
>
Your weakest link is the other guy on the far end of your ssh VPN here.
If their policy is as insecure as you claim, they are the route insiide
your systems, and thus a BIG risk. I'd not let their traffic in for that
very reason.
Thanks,
Ron DuFresne
> have fun linuxing
> alvin
>
> yes.. i know some ssh has been cracked... and been a victim
> of my own stupidity for not updating it too.. good for testing too in my
> book and learning/watching/monitoring...
>
>
> On Wed, 27 Feb 2002, Ron DuFresne wrote:
>
> > On Wed, 27 Feb 2002, Alvin Oga wrote:
> >
> > [SNIP]
> >
> > > dumb question ...
> > > - why is VPN needed ??? ssh seems to do everything i need
> > > - if its (VPN) for network neighborhood to go browsing...
> > > shoot it/kill it/stomp it (network neighborhood)...
> > >
> >
> > Unless ssh is terminated on the outside <so it's decrypted prior to
> > enterning the network> dgillett's point was you do not really know what is
> > passing across the firewall or network perimiter. Thus, most folks tend
> > to do their VPN terminations outside, on a controlled DMZ system, so that
> > the decrypted traffic can be subject to the rules of the perimiter
> > inspection tools in place to enforce the sites security policy. SSH
> > through the perimiter devices tends to tunnel traffic mush as HTTP does,
> > making it hard to inspect and know what is traversing the outside
> > connection<s>. Unless of course I read his last response to you
> > incorrectly, Few admins these days feel comfortable in trusting their
> > users to know and do the right things on traffic they can not inspect,
> > they all tend to want to snoop the wires inside and out...
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
