[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Firewall security and SSH

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Re: Firewall security and SSH
From: Pieter Meiring <xxxxx [at] xxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 13 Oct 2001 22:38:07 +0100
Envelope-To: <shef-lug [at] list.sheflug.org.uk>
List-Help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-Id: Sheflug <shef-lug.list.sheflug.org.uk>
List-Post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-Subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-Unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 13 Oct 2001 7:09 pm, you wrote:
> Chris
>
> > Hope this helps some people understand ssh a bit better, plus it
> > adds another twist to security :)
>
> Yes .. I'd heard about something like this but hadn't really goten
> hold of all the juicy details.  As a precaution I disable SSH on any
> firewall box just to make sure that any smart arse trying it out
> doesn't do too well at it.
>

It is possible for a savvy user inside a firewall to render the firewall 
insecure using *any* protocol that is passed by the firewall. I have, on 
occation, forwarded ports across multiple firewalls on top of telnet, http 
and ssh. I currently use ssh across several firewalls in the NHSnet to copy 
images between hospitals, ssh port forwarding to allow query and retrieve by 
DICOM servers between hospitals and ssh on top of ppp on top of telnet to 
access some images remotely from one localtion that only allows telnet (!!) 
access. The point is that if you have ANY legal connection from inside to an 
outside machine, it is possble to breech the firewall in reverse. The only 
secure ways is to denay all users inside as well as outside a firewall shell 
access to any machine inside a firewall. Port forwarding is not a preserve 
unique to ssh - its just a lot easier to do with ssh and this facility is not 
a reason, per se, not to use ssh.

Best Wishes,
Pieter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7yLQ/KcW+Qf+XsA4RAklcAKC/L4TH0gdxttGMFfeZkdg0clJEZgCeKdvL
3eughl780Le4N4W/OhaYv+Q=
=Ntu7
-----END PGP SIGNATURE-----
___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- [Sheflug] Firewall security and SSH
  - From: Chris J/#6
- [Sheflug] Re: Firewall security and SSH
  - From: Richard Ibbotson

Prev by Date: [Sheflug] telnet as root?
Next by Date: Re: [Sheflug] telnet as root?
Prev by thread: Re: [Sheflug] Re: Firewall security and SSH
Next by thread: [Sheflug] connections
Index(es):
- Date
- Thread