Firewall Wizards mailing list archives
Re: Communication Device Protocols from External router directthrough Firewall
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 07 Nov 2006 11:10:53 -0600
On Wed, 2006-11-01 at 01:11 -0500, Horvath, Kevin M. wrote:
[...], so now onto SSH. SSH shouldn’t be allowed as this should only be done via your LAN (specifically a an ADMIN VLAN or better yet an OOB connection) or over an IPSec tunnel. Yes its encrypted once the tunnel from the client to the server has been built but why should you allow anyone to attempt to make this connection externally? It’s a recipe for disaster. So even if you filter by source IP then there is the potential to be spoofed and then if you are running an older version of SSH that is vulnerable to a remote exploit you are sunk.
While I agree with most of your post, I don't think the last statement is valid. I could counter that you should never let IPsec in from the outside, especially since the disclosure of the more IPSec flaws not too long ago. Why would you want to expose your network like that? SSH is a VPN protocol like others. It had flaws in the past, but so does IPSec. So do other VPN protocols. There is no absolute security, which I'm sure you know. SSH can be very safe on the Internet. Many words have been written on secure SSH configurations, so I don't see a problem using SSH as a VPN protocol. Personally, I'm more afraid of IPSec, especially since everyone assumes it's safe when in reality it is not. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Communication Device Protocols from External router directthrough Firewall Horvath, Kevin M. (Nov 06)
- Re: Communication Device Protocols from External router directthrough Firewall Frank Knobbe (Nov 07)