nanog mailing list archives
RE: "top secret" security does require blocking SSH
From: "Roeland M.J. Meyer" <rmeyer () mhsc com>
Date: Sun, 9 Jul 2000 19:32:09 -0700
Actually, it isn't so hard. Northgrum.com has firewall, moat, alligators, and free-fire kill-zone <g>. I will also never take them on as a client again because of it. I just can't be disconnected from my business in chunks of time that large. Oh yeah, they also don't allow off-site work. Aerospace/DOD is feeling the pinch though. But, this latest LLNL thing has really caused them to think long and hard about some serious issues. Yes, if there is any way to bypass the wall, including Xircom CardBus (LAN port plugged into the LAN and modem port connected to a Nokia 6185, via DLR3 datacable, dialed into an external Internet server.) then covert ops are assured, as well as almost undetectible. The only way to stop that is a mil-grade PCS jammer. The Nokia uses spread-spectrum so intercepts are very difficult. I wonder if anyone has suggested this to the investigators of the Nat labs?
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On
Behalf Of
Alex Bligh Sent: Sunday, July 09, 2000 1:12 PM To: Derrick Cc: nanog () merit edu Subject: Re: "top secret" security does require blocking SSH "Derrick" <Derrick () anei com>Blocking SSH is a weak solution.I wrote:No. We are just rapidly approaching the point where people
realize
it has always been the case that this is impossible.I meant it has always been the case that blocking covert
channels
of communication was technically impossible. You can tunnel ssh or equivalent through email wordcounts if you really feel the need. I'm not an expert, but there is good information theory that says once you allow more than trivial bit rates in/out of an organization, blocking covert communication encapsulated one way or another becomes extremely hard. -- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)
Current thread:
- RE: RBL-type BGP service for known rogue networks?, (continued)
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 08)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 08)
- Re: RBL-type BGP service for known rogue networks? Rodney Joffe (Jul 08)
- Re: RBL-type BGP service for known rogue networks? John Payne (Jul 09)
- Re: RBL-type BGP service for known rogue networks? Dana Hudes (Jul 08)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
- "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
- RE: "top secret" security does require blocking SSH Derrick (Jul 09)
- Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
- RE: "top secret" security does require blocking SSH Roeland M.J. Meyer (Jul 09)
- RE: "top secret" security does require blocking SSH Christopher Palmer (Jul 10)
- RE: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Re: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Open Broadcast Amplifier networks list. Simon Lyall (Jul 12)
- Re: "top secret" security does require blocking SSH Stephen Sprunk (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
- Re: RBL-type BGP service for known rogue networks? Richard Irving (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Derek J. Balling (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)