Firewall Wizards mailing list archives

Re: SSH question

From: Adam Shostack <adam () homeport org>
Date: Tue, 7 Apr 1998 09:06:27 -0400 (EDT)

Well, with a small amount of compitency and ssh, you've lost the
ability to control any outbound data at the firewall.  It can all be
tunnelled over ssh.  And SSH can be tunneled via most companies' SSL
'proxies.'

Mind you, I don't see this as a problem, because thinking your
firewall controlled outbound data flow was always silly.  Its just
becoming sillier and sillier.

Note that if you allow inbound ssh, to a workstation, they can use
that to proxy just about anything, but if you allow inbound access to
any machine where someone who you don't trust has root, they can be a
proxy.

Adam




Roy Stevens wrote:
| I have started research into running ssh across the INTERNET.
| My preliminary research has shown much promise.
| 
| I would appreciate any feedback on this.
| 
| I am particularly interested in firewall issues, i.e. proxy or IP 
| forwarding problems.
| 
| Thanks for any correspondence.
| 
| TOBOR
| 


-- 
Just be thankful that Microsoft does not manufacture pharmaceuticals.

Current thread:

SSH question Roy Stevens (Apr 06)
- Re: SSH question Adam Shostack (Apr 08)
  - Re: SSH question Kevin Steves (Apr 11)
    - Re: SSH question Michael Lerperger (Apr 11)
    - Re: SSH question -= ArkanoiD =- (Apr 13)
    - Re: SSH question Michael Lerperger (Apr 13)
    - Re: SSH question -= ArkanoiD =- (Apr 14)
  - Re: SSH question -= ArkanoiD =- (Apr 13)
    - Re: SSH question Michael Lerperger (Apr 13)
    - Re: SSH question -= ArkanoiD =- (Apr 14)
- Re: SSH question Joseph M McKenna (Apr 08)
- Re: SSH question -= ArkanoiD =- (Apr 08)