"Greg A. Woods" wrote:
> The only way to stop *hidden* file transfers is to cut the cable.
>
> Period.
>
> There are an infinite number of possible covert channels over a general
> purpose Internet connection.
Given the sophisication of network monitoring tools these days, I'm
going to ask how you'd do this. On the one hand I agree that the
company in question is trying to do something awfully impractical and
maybe pointless (if it's that important I'll just Xerox it and walk it
out in my trouser leg ten pages at a time... Is security going to pat me
down as I leave every day?). But if they really are willing to take
this so far as monitoring for anything encrypted and squashing it, how
would one get around that? Steganography? And then you _really_ look
like you're trying to do something nasty even if you're really just
trying to protect mail to your wife and your stock broker.
I suppose that you could put up an SSL web server outside the firewall
somewhere, house an SSH applet on it, and then browse to that whenever
you want to use ssh, but if they figure that trick out (which they might
if they get more clever with their monitoring tools), then you're in
trouble for deliberately circumnavigating a company security measure.
Or they might be hip to this already and blocking https at the firewall
too. After all employees might be using https to shop at Amazon on
company time...
I second the opinion that this comes down to who you trust -- employees
or strangers. Inside jobs constitute a majority of known security
compromises recently (and probably forever), but the way around that is
not to forbid secure communication, that just leads to bad will. I'm
curious to know what is so important that it must be protected by these
measures, and whether there might be some better way of doing it than at
the network protocol level, which strikes me as clumsy and obviously has
significant drawbacks that have nothing to do with protecting the
company.
--
Michael Jinks, IB // Technical Entity // Saecos Corporation
Opinions expressed above are my own, and not those of my employer.
