[29915] in North American Network Operators' Group
RE: "top secret" security does require blocking SSH
daemon@ATHENA.MIT.EDU (Greg A. Woods)
Sun Jul 9 20:35:18 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@weird.com (Greg A. Woods)
To: nanog@merit.edu (North America Network Operators Group Mailing List)
In-Reply-To: <KBEDKDGNJOJKLANKGGFGIENNCAAA.Derrick@anei.com>
Reply-To: nanog@merit.edu (North America Network Operators Group Mailing List)
Message-Id: <20000710002913.B1287E0@proven.weird.com>
Date: Sun, 9 Jul 2000 20:29:13 -0400 (EDT)
Errors-To: owner-nanog-outgoing@merit.edu
[ On Sunday, July 9, 2000 at 15:59:51 (-0400), Derrick wrote: ]
> Subject: RE: "top secret" security does require blocking SSH
>
>
> Blocking SSH is a weak solution. Many places I know allow telnet through
> their firewalls and block ssh.
Now that's truly insane. I can't even begin to imagine how a security
policy could be worded such that this would be the outcome in
implementation!
> Since I never allow telnet on any of my
> servers I run SSH on both ports 22 and 23 so that these people can still
> reach our servers. Unless you are running an application firewall that
> explicitly checks the telnet protocol then you are not safe.
Hmmm.... as much as I do like to force protocols to run on their
registered ports, running sshd on port 23 in some situations might
indeed be better than nothing....
> The same ideas
> have been around for years on port 80. MS DCOM Tunneling is one of the worst
> allowing full application client to server communication in packets wrapeed
> by http headers so that they can traverse your proxy or firewall's on port
> 80. I am still waiting for the trojan that makes use of these features and
> the intrinsic MS Dcom security model.
As I mentioned to a friend just yesterday, I have seen IP-over-email
demonstrated and I've even heard tell of someone doing it with UUCP as
the mail transport.... ;-)
Now that the Church Of Instantaneous Propogation has almost won its
final battle I'd even bet IP-over-email is faster than bare telnet over
some dialups! ;-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
