nanog mailing list archives

RE: "top secret" security does require blocking SSH

From: "Derrick" <Derrick () anei com>
Date: Sun, 9 Jul 2000 15:59:51 -0400


Blocking SSH is a weak solution. Many places I know allow telnet through
their firewalls and block ssh. Since I never allow telnet on any of my
servers I run SSH on both ports 22 and 23 so that these people can still
reach our servers. Unless you are running an application firewall that
explicitly checks the telnet protocol then you are not safe. The same ideas
have been around for years on port 80. MS DCOM Tunneling is one of the worst
allowing full application client to server communication in packets wrapeed
by http headers so that they can traverse your proxy or firewall's on port
80. I am still waiting for the trojan that makes use of these features and
the intrinsic MS Dcom security model.

Derrick

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Alex Bligh
Sent: Sunday, July 09, 2000 3:43 PM
To: Greg A. Woods
Cc: rmeyer () mhsc com; nanog () merit edu
Subject: Re: "top secret" security does require blocking SSH




woods () weird com said:

Unfortunately we're rapidly approaching (if we're not already there) a
state of affairs where it is impossible to technically prevent inbound
and outbound covert channels


No. We are just rapidly approaching the point where people realize
it has always been the case that this is impossible.

--
Alex Bligh
VP Core Network, Concentric Network Corporation
(formerly GX Networks, Xara Networks)

Current thread:

Re: RBL-type BGP service for known rogue networks?, (continued)
- - Re: RBL-type BGP service for known rogue networks? Eric A. Hall (Jul 08)
  - RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 08)
    - RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 08)
  - RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 08)
    - Re: RBL-type BGP service for known rogue networks? Rodney Joffe (Jul 08)
    - Re: RBL-type BGP service for known rogue networks? John Payne (Jul 09)
    - Re: RBL-type BGP service for known rogue networks? Dana Hudes (Jul 08)
    - RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
    - "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
    - Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
    - RE: "top secret" security does require blocking SSH Derrick (Jul 09)
    - Re: "top secret" security does require blocking SSH Alex Bligh (Jul 09)
    - RE: "top secret" security does require blocking SSH Roeland M.J. Meyer (Jul 09)
    - RE: "top secret" security does require blocking SSH Christopher Palmer (Jul 10)
    - RE: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
    - Re: "top secret" security does require blocking SSH Greg A. Woods (Jul 09)
    - Open Broadcast Amplifier networks list. Simon Lyall (Jul 12)
    - Re: "top secret" security does require blocking SSH Stephen Sprunk (Jul 09)
    - RE: RBL-type BGP service for known rogue networks? Sabri Berisha (Jul 09)
    - RE: RBL-type BGP service for known rogue networks? Roeland M.J. Meyer (Jul 09)
    - Re: RBL-type BGP service for known rogue networks? Richard Irving (Jul 09)

(Thread continues...)