North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: "top secret" security does require blocking SSH
[ On Sunday, July 9, 2000 at 15:59:51 (-0400), Derrick wrote: ] > Subject: RE: "top secret" security does require blocking SSH > > > Blocking SSH is a weak solution. Many places I know allow telnet through > their firewalls and block ssh. Now that's truly insane. I can't even begin to imagine how a security policy could be worded such that this would be the outcome in implementation! > Since I never allow telnet on any of my > servers I run SSH on both ports 22 and 23 so that these people can still > reach our servers. Unless you are running an application firewall that > explicitly checks the telnet protocol then you are not safe. Hmmm.... as much as I do like to force protocols to run on their registered ports, running sshd on port 23 in some situations might indeed be better than nothing.... > The same ideas > have been around for years on port 80. MS DCOM Tunneling is one of the worst > allowing full application client to server communication in packets wrapeed > by http headers so that they can traverse your proxy or firewall's on port > 80. I am still waiting for the trojan that makes use of these features and > the intrinsic MS Dcom security model. As I mentioned to a friend just yesterday, I have seen IP-over-email demonstrated and I've even heard tell of someone doing it with UUCP as the mail transport.... ;-) Now that the Church Of Instantaneous Propogation has almost won its final battle I'd even bet IP-over-email is faster than bare telnet over some dialups! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <[email protected]> <robohack!woods> Planix, Inc. <[email protected]>; Secrets of the Weird <[email protected]>
|