Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Richard E. Silverman
August 23, 2003, 12:40 am
rate this thread
TB> The company I just started working for does not allow telnet or
TB> SSH access from within the corporate network through the firewall
TB> to anywhere. I usually read my email on my ISP's shell account
TB> via SSH.
TB> Our Network Admin guy says that there are too many security issues
TB> with tunneling in SSH -- is this true, or is he just blowing smoke
TB> in my face?
There are always risks -- it's just a question of what you're worried
SSH allows employees to bypass incoming firewall restrictions on TCP
traffic using SSH remote forwarding to tunnel back through an outgoing
connection. One would think that would be acceptable, since employees
should be trusted -- but perhaps not depending on their policies. And
there's always the chance someone's remote forwarding will be poorly done
or hacked into, and used as a back door into the company network.
If they have restricted outgoing TCP traffic in an attempt to control what
you can do, allowing outgoing SSH subverts this, since SSH local tunneling
then opens this back up again for many protocols.
Often, there are corporate edicts which translate into these kinds of
restrictions. For instance, your IT staff may have been ordered to scan
all incoming email for viruses, monitor its content for policy adherence,
archive it for regulatory compliance (e.g. SEC), etc. Thus they try to
ensure that all email must arrive via their systems, by preventing you
from accessing anything else. Of course, if they allow web access then
webmail systems may circumvent that, but often you'll find they've
implemented HTTP proxy filters that deny access to big webmail sites like
Hotmail. Which you then might get around if they left HTTP CONNECT
working, but of course you might get fired for deliberately circumventing
network policy. And unless they're frisking you at the doors, you can
always bring in a virus on a floppy. And so on in the neverending, boring
dance of mutual distrust...
Re: Is there any security risk allowing SSH from within secure network?
Yeah, and this leads to all sorts of fun when you decide to change a network
card, and find out that you have to install drivers for the card before
you can actually see the fileserver :) May the ghost of Baron Muenchausen
rest easy, while we all do the bootstrapping dance with serial cables,
misconfigured serial ports, and other miscellany :)
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum