On Thu, Apr 21, 2005 at 12:59:04AM +0930, alex wilkinson wrote: > Is it possible to disguise this behaviour ? From a client perspective.
Of course it is. If you can surf arbitrary external web pages, because the company can't afford to deny you that, you can exchange arbitrary information back and forth with external hosts, and, hence, can use such a channel to tunnel ssh over. It's as simple as that, and no product can prevent it, ever. The only thing taking place is a boring race between the degree of obfuscation used by the tunnelers vs. the (in the long run) futile attempts of the filterers to detect them. In the end, the filterers must lose, because the theory is on the side of the tunnelers. As a very simple example, say you're reading some online article on the web. When you click on links to fetch the various pages of the article, you're sending the server information (like the number of the page you want to read next). The pages will come back, usually with images of advertisements in form of gif or jpgs. If I decide to conspire with that external web server, and I send it information by requesting certain page numbers in a certain order, and the server sends me back information by embedding it in the images, how is any filtering tool going to detect that? And that's only one of many, many channels you can use, and a very basic one indeed. As a tunneler, you observe what kind of traffic is used a lot legitimately. Then you make sure your tunneling causes the exact same usage patterns, with only slight variations to contain the information. Then you encrypt the payload and hide it steganographically. The only reason tunnelers use more straight-forward channels now is that they provide more bandwidth for payload. As soon as filtering tools advance, the obfuscations are improved. So, why are you trying to prevent SSH connections from taking place, when at the same time you're allowing people to read and post comments on web forums? They could post your secret corporate documents there, too (gzip'd and creatively uuencoded so your content filter can't scan them)... Daniel
