nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: "top secret" security does require blocking SSH

From: woods () weird com (Greg A. Woods)
Date: Sun, 9 Jul 2000 20:29:13 -0400 (EDT)

[ On Sunday, July 9, 2000 at 15:59:51 (-0400), Derrick wrote: ]

Subject: RE: "top secret" security does require blocking SSH 


Blocking SSH is a weak solution. Many places I know allow telnet through
their firewalls and block ssh.


Now that's truly insane.  I can't even begin to imagine how a security
policy could be worded such that this would be the outcome in
implementation!


Since I never allow telnet on any of my
servers I run SSH on both ports 22 and 23 so that these people can still
reach our servers.  Unless you are running an application firewall that
explicitly checks the telnet protocol then you are not safe. 


Hmmm.... as much as I do like to force protocols to run on their
registered ports, running sshd on port 23 in some situations might
indeed be better than nothing....


The same ideas
have been around for years on port 80. MS DCOM Tunneling is one of the worst
allowing full application client to server communication in packets wrapeed
by http headers so that they can traverse your proxy or firewall's on port
80. I am still waiting for the trojan that makes use of these features and
the intrinsic MS Dcom security model.


As I mentioned to a friend just yesterday, I have seen IP-over-email
demonstrated and I've even heard tell of someone doing it with UUCP as
the mail transport....   ;-)

Now that the Church Of Instantaneous Propogation has almost won its
final battle I'd even bet IP-over-email is faster than bare telnet over
some dialups!  ;-)

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Previous By Date Next
Previous By Thread Next

Current thread: