Firewall Wizards mailing list archives
RE: ssh holes? Trojans?
From: sean.kelly () lanston com
Date: Thu, 21 Sep 2000 12:30:36 -0400
From: Gregory Hicks [mailto:ghicks () cadence com] We have a requirement to monitor, for legal reasons, everything that goes off the company network. Recently, we closed access to port 22 (ssh). The reasoning was that we could monitor things like ftp, telnet, mail, et al because when these data streams crossed the firewall, they were '...in the clear (unencrypted).' And yes, I know that ssh can be tunneled on any other port...
This raises an interesting question -- at what point is accountability more important than security? Is deliberately constructing an insecure system justifiable in the interest of more accurate auditing?
With ssh, the data stream is encrypted at the users workstation and tunnels 'through' the firewall so we never get a chance to monitor it.
And neither does a hacker, which is kind of the point.
In addition, there have been 'strange' networks (like the internet) showing up on our network monitoring facilities. (None now, but there may be again.) Unfortunately, we have not been able to 'catch' anyone 'in the act' as it were...
Do you have dialup access or a VPN set up for your network? This is the most likely culprit. I heard a story recently that seems applicable (though I can't for the life of me remember if it was on this list or from a coworker) -- a husband and wife both worked for different companies and both dialed in to their corporate networks from home. Their home machines were networked together. One time, the husband noticed that while he was dialed in, servers from his wife's office were appearing on the network of his own office. Their home LAN was acting as a conduit between the two corporate networks.
Users have been infected with viruses that no-one else in the company 'catches'.
This isn't surprising. If they're downloading stuff from the internet, bringing disks from home, or running those clever attachments they are emailed by friends then there is a decent chance that they could become infected with a virus. We recently had one of the lovebug strains bounce around our office even though every PC has an antivirus program installed, so even attempts at protection are far from perfect.
Anyway, we now believe that these 'occurrances' were caused when users connected their home machines with their office workstations and 'stuff' on the home net crossed over to the corporate interface.
And you don't have dial-up access so you're certain that this connection is outbound rather than inbound? And, of course, that the users are not clever enough to just tunnel ssh over a different port...
Now then, what we would like to do is to set up an ssh 'proxy' inside the DMZ so that whatever is passed to the sshd on the proxy host crosses our monitoring hosts 'in the clear'.
As someone else said, one of the points of ssh is to defeat such attempts. What you are trying to do is mount a "man in the middle" attack against the ssh session. If such a thing were simple, ssh wouldn't be a very useful protocol, would it? If you are really interested in tracking users to this degree, why not install monitoring software on the PCs on your network? There's no reason to try to do all your auditing from the firewall.
After hearing from another source (an employee discussed our 'new' policy with their SO at home), we 'heard' that there are ssh 'trojans'... Any truth to the rumor?
I did a quick websearch and ran across a few references. Obviously, it's possible to release a trojaned version of any program, though this is much easier for open-source apps. I'd say that if the PCs on your network are Windows-based rather than some version of UN*X then the chances that someone is using a trojaned version of ssh are quite small. Also, for someone to be able to use a trojaned program it would have to be installed on the PC -- most corporate users are generally unable to install applications. While ssh trojans appear to exist, it's not something I would put at the top of my list of concerns. Sean _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- ssh holes? Trojans? Gregory Hicks (Sep 19)
- Re: ssh holes? Trojans? John Ladwig (Sep 22)
- <Possible follow-ups>
- RE: ssh holes? Trojans? sean . kelly (Sep 22)
- RE: ssh holes? Trojans? Paul D. Robertson (Sep 22)