RE: ssh holes? trojans?

[<havoc () chipsworld llamas net>]

I find it difficult to believe that instead of implementing good security
measures you just monitor the traffic going through the firewall.  I
believe one of your duties should be to enforce good network skills and
habits; allowing telnet and disallowing ssh certainly isn't
helping.  Perhaps you should look into a product that interacts with your
gateway/firewall to search email, ftp, and http.  There are certain
products which can scan mail attachments and ftp xfers for viruses and
also scan the subject/body of emails for prohibited texts such as 'resume'
or 'sex'.  I wouldn't allow telnet out (or in) of my network because of
the insecurities of cleartext passwords.  If users are sshing, telneting,
or whatever to their home machine, and you (as your company) have a
problem with it (or your corporate security policy forbids it) -- perhaps
you should not allow this traffic, period.

To answer your question about trojoaned ssh daemons. You bet there are
plenty out there.  I have my own precompiled daemon that I install on,
lets just say questionable, machines.   Perhaps you aren't looking to the
right location for the code-- but it's definately out there.

IMHO, drop the ssh proxy idea.

-havoc

-----Original Message-----
From: Gregory Hicks [mailto:ghicks () cadence com]
Sent: Monday, September 18, 2000 6:28 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] ssh holes? Trojans?



We have a requirement to monitor, for legal reasons, everything that
goes off the company network.

Recently, we closed access to port 22 (ssh).  The reasoning was that we
could monitor things like ftp, telnet, mail, et al because when these
data streams crossed the firewall, they were '...in the clear
(unencrypted).'  And yes, I know that ssh can be tunneled on any other
port...

With ssh, the data stream is encrypted at the users workstation and
tunnels 'through' the firewall so we never get a chance to monitor it.

In addition, there have been 'strange' networks (like the internet)
showing up on our network monitoring facilities.  (None now, but there
may be again.)  Unfortunately, we have not been able to 'catch' anyone
'in the act' as it were...

Users have been infected with viruses that no-one else in the company
'catches'.

Anyway, we now believe that these 'occurrances' were caused when users
connected their home machines with their office workstations and
'stuff' on the home net crossed over to the corporate interface.

Now then, what we would like to do is to set up an ssh 'proxy' inside
the DMZ so that whatever is passed to the sshd on the proxy host
crosses our monitoring hosts 'in the clear'.

Does anyone know of such a beast?  Has anyone used it?  I only found an
unfinished section of C code...

After hearing from another source (an employee discussed our 'new'
policy with their SO at home), we 'heard' that there are ssh
'trojans'...  Any truth to the rumor?  I haven't been able to find any
info on this.

Assist appreciated in advance.

Regards,
Gregory Hicks

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards