Re: [fw-wiz] Best-of-breed Proxies (was Re: Proxy Firewalls ...)

From: Brian Hatch (firewall-wizards@ifokr.org)
Date: 01/30/03


From: Brian Hatch <firewall-wizards@ifokr.org>
To: Bennett Todd <bet@rahul.net>
Date: Thu Jan 30 15:48:37 2003



> > This means you'd not be able to use ssh identity authentication
> > to the internal machine (since the key would be on the user's
> > client, not on the middle man.) It would also seem to defeat
> > things like scp/sftp because the machine in the middle won't
> > pass the commandline args along.
>
> Yup. Plus it defeats port forwarding, X display forwarding, and
> eveything else; it pretty well reduces the delivered service to
> plain shell.
>
> I construe this as a feature, but then I'm an aspiring BOFH.

I failed to point out where I was considering your solution
from an administrator position (hell yes, keep them from
doing anything but shell) and a user perspective (hey - why
can't I leave X11 open to my ISP shell account with poor
file perms so everyone can attack my screen? I want to
run xclock there!)

> > As a user, I'd easily be able to work around those features by
> > tunneling another ssh over the sanitized ssh connection.
>
> It's impossible to make that impossible. It's impractical to make it
> impractical.

As I noted later on.

> It is however easy to make it hard enough that doing so
> is very obviously the work of someone deliberately thwarting policy;
> and so if you add some monitoring sufficient to help improve the
> odds you can pick up the different traffic pattern that results
> (simple load monitoring on the proxy server would suffice here,
> normal shell sessions don't cause significant load, an IP tunnel
> would) you're nicely positioned to fire the perpetrator for cause
> and begin prosecution. Oh, if you don't have a security policy that
> clearly prohibits defeating security measures, endorsed by senior
> management, with copies signed by each employee in their HR folder,
> then there's no point in worrying about implementing tight controls,
> or detection; you're purely dependant on the goodwill of your
> employees anyway.

I hope you don't think that I'm in any way disagreeing with you
or your setup. As an admin, I lock down things and punish those
who circumvent. As a user, I let management know where I'm going
to bend the rules and why and get their agreement to do so before
doing anything that could get me canned.

You can never stop everything. You can make the barrier
high enough that no one can claim they accidentally stumbled
upon a way around the rules.

--
Brian Hatch                  Kibblesworth: The footling amount of
   Systems and                money by which the price of a given
   Security Engineer          article in a shop is less than a
www.hackinglinuxexposed.com   sensible number, in hope that at
                              least one idiot will think it cheap.
Every message PGP signed




Relevant Pages