[29924] in North American Network Operators' Group
RE: "top secret" security does require blocking SSH
daemon@ATHENA.MIT.EDU (Roeland M.J. Meyer)
Sun Jul 9 22:37:54 2000
Reply-To: <rmeyer@mhsc.com>
From: "Roeland M.J. Meyer" <rmeyer@mhsc.com>
To: "'Alex Bligh'" <amb@gxn.net>, "'Derrick'" <Derrick@anei.com>
Cc: <nanog@merit.edu>
Date: Sun, 9 Jul 2000 19:32:09 -0700
Message-ID: <003b01bfea17$0c7ab920$eaaf6cc7@PEREGRIN>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <E13BNQo-00075E-00@sapphire.noc.gxn.net>
Errors-To: owner-nanog-outgoing@merit.edu
Actually, it isn't so hard. Northgrum.com has firewall, moat,
alligators, and free-fire kill-zone <g>. I will also never take
them on as a client again because of it. I just can't be
disconnected from my business in chunks of time that large. Oh
yeah, they also don't allow off-site work. Aerospace/DOD is
feeling the pinch though. But, this latest LLNL thing has really
caused them to think long and hard about some serious issues.
Yes, if there is any way to bypass the wall, including Xircom
CardBus (LAN port plugged into the LAN and modem port connected
to a Nokia 6185, via DLR3 datacable, dialed into an external
Internet server.) then covert ops are assured, as well as almost
undetectible. The only way to stop that is a mil-grade PCS
jammer. The Nokia uses spread-spectrum so intercepts are very
difficult. I wonder if anyone has suggested this to the
investigators of the Nat labs?
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On
Behalf Of
> Alex Bligh
> Sent: Sunday, July 09, 2000 1:12 PM
> To: Derrick
> Cc: nanog@merit.edu
> Subject: Re: "top secret" security does require blocking SSH
>
>
>
> "Derrick" <Derrick@anei.com>
> > Blocking SSH is a weak solution.
>
> I wrote:
> > > No. We are just rapidly approaching the point where people
realize
> > > it has always been the case that this is impossible.
>
> I meant it has always been the case that blocking covert
channels
> of communication was technically impossible. You can tunnel ssh
> or equivalent through email wordcounts if you really feel the
> need. I'm not an expert, but there is good information theory
> that says once you allow more than trivial bit rates in/out
> of an organization, blocking covert communication encapsulated
> one way or another becomes extremely hard.
>
> --
> Alex Bligh
> VP Core Network, Concentric Network Corporation
> (formerly GX Networks, Xara Networks)
>
>
