nanog mailing list archives
RE: "top secret" security does require blocking SSH
From: "Derrick" <Derrick () anei com>
Date: Sun, 9 Jul 2000 15:59:51 -0400
Blocking SSH is a weak solution. Many places I know allow telnet through their firewalls and block ssh. Since I never allow telnet on any of my servers I run SSH on both ports 22 and 23 so that these people can still reach our servers. Unless you are running an application firewall that explicitly checks the telnet protocol then you are not safe. The same ideas have been around for years on port 80. MS DCOM Tunneling is one of the worst allowing full application client to server communication in packets wrapeed by http headers so that they can traverse your proxy or firewall's on port 80. I am still waiting for the trojan that makes use of these features and the intrinsic MS Dcom security model. Derrick
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of Alex Bligh Sent: Sunday, July 09, 2000 3:43 PM To: Greg A. Woods Cc: rmeyer () mhsc com; nanog () merit edu Subject: Re: "top secret" security does require blocking SSH woods () weird com said:Unfortunately we're rapidly approaching (if we're not already there) a state of affairs where it is impossible to technically prevent inbound and outbound covert channelsNo. We are just rapidly approaching the point where people realize it has always been the case that this is impossible. -- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)
Current thread:
- Re: RBL-type BGP service for known rogue networks?, (continued)
- Re: RBL-type BGP service for known rogue networks? Eric A. Hall (Jul 08)
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 08)
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 08)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 08)
- Re: RBL-type BGP service for known rogue networks? Rodney Joffe (Jul 08)
- Re: RBL-type BGP service for known rogue networks? John Payne (Jul 09)
- Re: RBL-type BGP service for known rogue networks? Dana Hudes (Jul 08)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
- "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
- RE: "top secret" security does require blocking SSH Derrick (Jul 09)
- Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
- RE: "top secret" security does require blocking SSH Roeland M.J. Meyer (Jul 09)
- RE: "top secret" security does require blocking SSH Christopher Palmer (Jul 10)
- RE: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Re: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
- Open Broadcast Amplifier networks list. Simon Lyall (Jul 12)
- Re: "top secret" security does require blocking SSH Stephen Sprunk (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 09)
- RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
- Re: RBL-type BGP service for known rogue networks? Richard Irving (Jul 09)