Re: Summary: SSH through firewall

["Ge' Weijers" <ge () progressive-systems com>]

On Mon, Jul 26, 1999 at 10:23:40AM +0200, Ginsberg Rainer (QI/INF4) * wrote:
> 2) The -R option allows insiders to forward all kind of 
>    traffic from the untrusted network to the trusted 
>    network.

Even if ssh would not support this feature it would be easy to run a
tunnel through the terminal session. Tunneling PPP though an outbound
telnet session is no big deal, and at least one (commercial) PPP
implementation I know of can actually do this out of the box. The
firewall most likely won't have a clue. I'm sure the same can be done
with about any login-session protocol. It's just easier to do with
'ssh'.

One way to kind-of solve this problem is to only allow ssh out from a
host on a service network (DMZ), and configure sshd on this host not
to allow tunnels. You will also need to firewall this machine off from
the rest of the network.

Threats from insiders are very hard to deal with, especially if you
don't want to chase 90% of your workforce away with oppressive
security measures. It's hard to put a firewall on sneakernet.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220