North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: "top secret" security does require blocking SSH

  • From: Greg A. Woods
  • Date: Sun Jul 09 20:36:17 2000

[ On Sunday, July 9, 2000 at 15:59:51 (-0400), Derrick wrote: ]
> Subject: RE: "top secret" security does require blocking SSH 
>
> 
> Blocking SSH is a weak solution. Many places I know allow telnet through
> their firewalls and block ssh.

Now that's truly insane.  I can't even begin to imagine how a security
policy could be worded such that this would be the outcome in
implementation!

> Since I never allow telnet on any of my
> servers I run SSH on both ports 22 and 23 so that these people can still
> reach our servers.  Unless you are running an application firewall that
> explicitly checks the telnet protocol then you are not safe. 

Hmmm.... as much as I do like to force protocols to run on their
registered ports, running sshd on port 23 in some situations might
indeed be better than nothing....

> The same ideas
> have been around for years on port 80. MS DCOM Tunneling is one of the worst
> allowing full application client to server communication in packets wrapeed
> by http headers so that they can traverse your proxy or firewall's on port
> 80. I am still waiting for the trojan that makes use of these features and
> the intrinsic MS Dcom security model.

As I mentioned to a friend just yesterday, I have seen IP-over-email
demonstrated and I've even heard tell of someone doing it with UUCP as
the mail transport....   ;-)

Now that the Church Of Instantaneous Propogation has almost won its
final battle I'd even bet IP-over-email is faster than bare telnet over
some dialups!  ;-)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <[email protected]>      <robohack!woods>
Planix, Inc. <[email protected]>; Secrets of the Weird <[email protected]>