On Thu, Apr 21, 2005 at 12:59:04AM +0930, alex wilkinson wrote:

> Is it possible to disguise this behaviour ? From a client perspective.

Of course it is. If you can surf arbitrary external web pages, because
the company can't afford to deny you that, you can exchange arbitrary
information back and forth with external hosts, and, hence, can use such
a channel to tunnel ssh over. It's as simple as that, and no product can
prevent it, ever. The only thing taking place is a boring race between
the degree of obfuscation used by the tunnelers vs. the (in the long
run) futile attempts of the filterers to detect them. In the end, the
filterers must lose, because the theory is on the side of the tunnelers.

As a very simple example, say you're reading some online article on the
web. When you click on links to fetch the various pages of the article,
you're sending the server information (like the number of the page you
want to read next). The pages will come back, usually with images of
advertisements in form of gif or jpgs.

If I decide to conspire with that external web server, and I send it
information by requesting certain page numbers in a certain order, and
the server sends me back information by embedding it in the images, how
is any filtering tool going to detect that? And that's only one of many,
many channels you can use, and a very basic one indeed.

As a tunneler, you observe what kind of traffic is used a lot
legitimately. Then you make sure your tunneling causes the exact same
usage patterns, with only slight variations to contain the information.
Then you encrypt the payload and hide it steganographically.

The only reason tunnelers use more straight-forward channels now is that
they provide more bandwidth for payload. As soon as filtering tools
advance, the obfuscations are improved.

So, why are you trying to prevent SSH connections from taking place,
when at the same time you're allowing people to read and post comments
on web forums? They could post your secret corporate documents there,
too (gzip'd and creatively uuencoded so your content filter can't scan
them)...

Daniel

Reply via email to