RE: ssh holes? Trojans?

[sean.kelly () lanston com]

> From: Gregory Hicks [mailto:ghicks () cadence com]
>
> We have a requirement to monitor, for legal reasons, everything that
> goes off the company network.
>
> Recently, we closed access to port 22 (ssh).  The reasoning 
> was that we
> could monitor things like ftp, telnet, mail, et al because when these
> data streams crossed the firewall, they were '...in the clear
> (unencrypted).'  And yes, I know that ssh can be tunneled on any other
> port...

This raises an interesting question -- at what point is accountability more
important than security?  Is deliberately constructing an insecure system
justifiable in the interest of more accurate auditing?

> With ssh, the data stream is encrypted at the users workstation and
> tunnels 'through' the firewall so we never get a chance to monitor it.

And neither does a hacker, which is kind of the point.

> In addition, there have been 'strange' networks (like the internet)
> showing up on our network monitoring facilities.  (None now, but there
> may be again.)  Unfortunately, we have not been able to 'catch' anyone
> 'in the act' as it were...

Do you have dialup access or a VPN set up for your network?  This is the
most likely culprit.  I heard a story recently that seems applicable (though
I can't for the life of me remember if it was on this list or from a
coworker) -- a husband and wife both worked for different companies and both
dialed in to their corporate networks from home.  Their home machines were
networked together.  One time, the husband noticed that while he was dialed
in, servers from his wife's office were appearing on the network of his own
office.  Their home LAN was acting as a conduit between the two corporate
networks.

> Users have been infected with viruses that no-one else in the company
> 'catches'.

This isn't surprising.  If they're downloading stuff from the internet,
bringing disks from home, or running those clever attachments they are
emailed by friends then there is a decent chance that they could become
infected with a virus.  We recently had one of the lovebug strains bounce
around our office even though every PC has an antivirus program installed,
so even attempts at protection are far from perfect.

> Anyway, we now believe that these 'occurrances' were caused when users
> connected their home machines with their office workstations and
> 'stuff' on the home net crossed over to the corporate interface.

And you don't have dial-up access so you're certain that this connection is
outbound rather than inbound?  And, of course, that the users are not clever
enough to just tunnel ssh over a different port...

> Now then, what we would like to do is to set up an ssh 'proxy' inside
> the DMZ so that whatever is passed to the sshd on the proxy host
> crosses our monitoring hosts 'in the clear'.

As someone else said, one of the points of ssh is to defeat such attempts.
What you are trying to do is mount a "man in the middle" attack against the
ssh session.  If such a thing were simple, ssh wouldn't be a very useful
protocol, would it?  If you are really interested in tracking users to this
degree, why not install monitoring software on the PCs on your network?
There's no reason to try to do all your auditing from the firewall.

> After hearing from another source (an employee discussed our 'new'
> policy with their SO at home), we 'heard' that there are ssh
> 'trojans'...  Any truth to the rumor?

I did a quick websearch and ran across a few references.  Obviously, it's
possible to release a trojaned version of any program, though this is much
easier for open-source apps.  I'd say that if the PCs on your network are
Windows-based rather than some version of UN*X then the chances that someone
is using a trojaned version of ssh are quite small.  Also, for someone to be
able to use a trojaned program it would have to be installed on the PC --
most corporate users are generally unable to install applications.  While
ssh trojans appear to exist, it's not something I would put at the top of my
list of concerns.


Sean

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards