Firewall Wizards mailing list archives
Re: Communication Device Protocols from Externalrouter d irectthrough Firewall
From: "Horvath, Kevin M." <KEVIN.M.HORVATH () saic com>
Date: Wed, 8 Nov 2006 10:45:02 -0500
Understood but let me clarify the IPSec tunnels. There are two options I am referring to; one to the network (I should say) and one possibly to an isolated dmz (being no other services) for syslogs for example. The first option would be to a vpn concentrator or some other vpn device hanging off of your firewall. Regardless the point is, all services should not enter you network but if for some reason (such as ssh or ipsec) if they do then they must go to a dmz. Cheers, Kevin -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Frank Knobbe Sent: Tuesday, November 07, 2006 12:11 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Communication Device Protocols from Externalrouter directthrough Firewall On Wed, 2006-11-01 at 01:11 -0500, Horvath, Kevin M. wrote:
[...], so now onto SSH. SSH shouldn’t be allowed as this should only be done via your LAN (specifically a an ADMIN VLAN or better yet an OOB connection) or over an IPSec tunnel. Yes its encrypted once the tunnel from the client to the server has been built but why should you allow anyone to attempt to make this connection externally? It’s a recipe for disaster. So even if you filter by source IP then there is the potential to be spoofed and then if you are running an older version of SSH that is vulnerable to a remote exploit you are sunk.
While I agree with most of your post, I don't think the last statement is valid. I could counter that you should never let IPsec in from the outside, especially since the disclosure of the more IPSec flaws not too long ago. Why would you want to expose your network like that? SSH is a VPN protocol like others. It had flaws in the past, but so does IPSec. So do other VPN protocols. There is no absolute security, which I'm sure you know. SSH can be very safe on the Internet. Many words have been written on secure SSH configurations, so I don't see a problem using SSH as a VPN protocol. Personally, I'm more afraid of IPSec, especially since everyone assumes it's safe when in reality it is not. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Communication Device Protocols from Externalrouter d irectthrough Firewall Horvath, Kevin M. (Nov 08)