[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Firewall security and SSH



On Saturday 13 October 2001 19:09, you wrote:
> > Hope this helps some people understand ssh a bit better, plus it
> > adds another twist to security :)
>
> Yes .. I'd heard about something like this but hadn't really goten
> hold of all the juicy details.  As a precaution I disable SSH on any
> firewall box just to make sure that any smart arse trying it out
> doesn't do too well at it.

I think that's Chris' point - disabling SSH on a firewall ain't good enough, 
you can still get through. 

This belies the basic point, though, which is that if any traffic passes 
through the firewall, then it's possible to pierce the firewall. I have seen 
people do this over a number of protocols (http being quite common, but I've 
even seen stuff like tunneling over icmp) - basically, if you can put payload 
into some data area, get it through the firewall to a place you have control 
of, and get replies back, that's all you need.

A lot of people use the tunneling capability of ssh for X forwarding - it's 
not just the tunneling that's good, but the automatic xauth setup. But, if 
you look around, you can find quite a few articles on tunneling most 
client/server apps using ssh, and tunneling in general. 

I think uses like this is going to be one of the main drivers for 
higher-level firewalls; although it's even possible to tunnel through a http 
proxy (albeit poor performing). It's not even like you can inspect the data 
to try to determine when someone has done it - you probably wouldn't be able 
to tell the difference between someone browsing Amazon and someone tunneling 
ssh if they were both over https (apart from the destination IP, of course), 
although a tunnel will always require a lot of bandwidth, and if it's a 
one-way protocol (like http) you need to constantly poll for new data from 
the other end which is also noticeable (unless you're using http/1.1, but 
that wouldn't work through a proxy in most cases, I think).

I suppose it all comes down to how much you trust the local users. I know in 
a number of places this kind of firewall piercing would be impossible, not 
because the firewall is kung-fu, but because there isn't a connection to the 
outside world (e-mail being injected, www being inaccessible :S )

Cheers,

			Alex.
___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.