Firewall Wizards mailing list archives
Re: Best-of-breed Proxies (was Re: Proxy Firewalls ...)
From: Brian Hatch <firewall-wizards () ifokr org>
Date: Thu, 30 Jan 2003 11:38:43 -0800
This means you'd not be able to use ssh identity authentication to the internal machine (since the key would be on the user's client, not on the middle man.) It would also seem to defeat things like scp/sftp because the machine in the middle won't pass the commandline args along.Yup. Plus it defeats port forwarding, X display forwarding, and eveything else; it pretty well reduces the delivered service to plain shell. I construe this as a feature, but then I'm an aspiring BOFH.
I failed to point out where I was considering your solution from an administrator position (hell yes, keep them from doing anything but shell) and a user perspective (hey - why can't I leave X11 open to my ISP shell account with poor file perms so everyone can attack my screen? I want to run xclock there!)
As a user, I'd easily be able to work around those features by tunneling another ssh over the sanitized ssh connection.It's impossible to make that impossible. It's impractical to make it impractical.
As I noted later on.
It is however easy to make it hard enough that doing so is very obviously the work of someone deliberately thwarting policy; and so if you add some monitoring sufficient to help improve the odds you can pick up the different traffic pattern that results (simple load monitoring on the proxy server would suffice here, normal shell sessions don't cause significant load, an IP tunnel would) you're nicely positioned to fire the perpetrator for cause and begin prosecution. Oh, if you don't have a security policy that clearly prohibits defeating security measures, endorsed by senior management, with copies signed by each employee in their HR folder, then there's no point in worrying about implementing tight controls, or detection; you're purely dependant on the goodwill of your employees anyway.
I hope you don't think that I'm in any way disagreeing with you or your setup. As an admin, I lock down things and punish those who circumvent. As a user, I let management know where I'm going to bend the rules and why and get their agreement to do so before doing anything that could get me canned. You can never stop everything. You can make the barrier high enough that no one can claim they accidentally stumbled upon a way around the rules. -- Brian Hatch Kibblesworth: The footling amount of Systems and money by which the price of a given Security Engineer article in a shop is less than a www.hackinglinuxexposed.com sensible number, in hope that at least one idiot will think it cheap. Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- FWTK vs T.REX Javier Perez (Jan 26)
- Re: FWTK vs T.REX ark (Jan 27)
- Re: FWTK vs T.REX Illes Marton (Jan 29)
- Proxy Firewalls (was FWTK vs T.REX) Javier Perez (Jan 29)
- Re: Proxy Firewalls (was FWTK vs T.REX) Matthew Kirkwood (Jan 30)
- Re: Proxy Firewalls (was FWTK vs T.REX) ark (Jan 30)
- Message not available
- Re: Proxy Firewalls (was FWTK vs T.REX) Marcus J. Ranum (Jan 30)
- Best-of-breed Proxies (was Re: Proxy Firewalls ...) Bennett Todd (Jan 30)
- Re: Best-of-breed Proxies (was Re: Proxy Firewalls ...) Brian Hatch (Jan 30)
- Re: Best-of-breed Proxies (was Re: Proxy Firewalls ...) Bennett Todd (Jan 30)
- Re: Best-of-breed Proxies (was Re: Proxy Firewalls ...) Brian Hatch (Jan 30)
- Re: Best-of-breed Proxies (was Re: Proxy Firewalls ...) Balazs Scheidler (Jan 31)
- Re: Best-of-breed Proxies (was Re: Proxy Firewalls ...) ark (Jan 31)
- Proxy Firewalls (was FWTK vs T.REX) Javier Perez (Jan 29)
- Re: Proxy Firewalls (was FWTK vs T.REX) ark (Jan 30)
- Re: Proxy Firewalls (was FWTK vs T.REX) Luca Berra (Jan 31)
- Re: Proxy Firewalls (was FWTK vs T.REX) ark (Jan 31)
- Message not available
- Re: Proxy Firewalls (was FWTK vs T.REX) ark (Jan 31)