Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: blocking/monitoring ssh

From: "Harris, Tim" <tharris () ocair com>
Date: Tue, 26 Sep 2000 07:55:04 -0700
By definition, if your policy has any restrictions at all then someone will
disagree with it.  If no one had a problem then why are you setting a
restrictive policy?

This is just like the 65dB noise limit around airports.  Statistically about
14 percent of the population will be dissatisfied but that is a number that
you can live with.

So, how many of your users do you want unhappy and are they going to be
unhappy enough to try to circumvent you?


With ssh, the data stream is encrypted at the users workstation and
tunnels 'through' the firewall so we never get a chance to 

monitor it.

And neither does a hacker, which is kind of the point.


Recently, one of our users decided our VPN was cumbersome and decided
to do the ssh/tunnel trick between a machine behind our firewall and
his home linux system.


An unfortunate consequence of any security policy is that if a user finds it
too restrictive they will try to find some way to circumvent it.  Often, it
seems like a preferable solution to offer internal users more than you would
like just to insure that they won't find their own solution to do the same
thing.  At least if you provide the service you can include some means of
monitoring or filtering it.


Sean

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: