[29907] in North American Network Operators' Group
RE: "top secret" security does require blocking SSH
daemon@ATHENA.MIT.EDU (Derrick)
Sun Jul 9 16:03:33 2000
From: "Derrick" <Derrick@anei.com>
To: <nanog@merit.edu>
Date: Sun, 9 Jul 2000 15:59:51 -0400
Message-ID: <KBEDKDGNJOJKLANKGGFGIENNCAAA.Derrick@anei.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <E13BMyv-0006Rh-00@sapphire.noc.gxn.net>
Errors-To: owner-nanog-outgoing@merit.edu
Blocking SSH is a weak solution. Many places I know allow telnet through
their firewalls and block ssh. Since I never allow telnet on any of my
servers I run SSH on both ports 22 and 23 so that these people can still
reach our servers. Unless you are running an application firewall that
explicitly checks the telnet protocol then you are not safe. The same ideas
have been around for years on port 80. MS DCOM Tunneling is one of the worst
allowing full application client to server communication in packets wrapeed
by http headers so that they can traverse your proxy or firewall's on port
80. I am still waiting for the trojan that makes use of these features and
the intrinsic MS Dcom security model.
Derrick
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Alex Bligh
> Sent: Sunday, July 09, 2000 3:43 PM
> To: Greg A. Woods
> Cc: rmeyer@mhsc.com; nanog@merit.edu
> Subject: Re: "top secret" security does require blocking SSH
>
>
>
>
> woods@weird.com said:
> > Unfortunately we're rapidly approaching (if we're not already there) a
> > state of affairs where it is impossible to technically prevent inbound
> > and outbound covert channels
>
> No. We are just rapidly approaching the point where people realize
> it has always been the case that this is impossible.
>
> --
> Alex Bligh
> VP Core Network, Concentric Network Corporation
> (formerly GX Networks, Xara Networks)
>
>
>
