Re: [fw-wiz] Do you permit X11 via proxy firewall?



On Fri, 7 Sep 2007, ArkanoiD wrote:

On Wed, Sep 05, 2007 at 04:48:46PM -0700, dlang@xxxxxxxxxxxxx wrote:
On Thu, 6 Sep 2007, ArkanoiD wrote:

That's most practical, almost everyone is doing that.
So we can declare x11 gateways officially dead, i guess.

On Wed, Sep 05, 2007 at 05:02:50PM -0400, Paul Melson wrote:
And, if yes, how do you implement it?

No, that's what 'ssh -X' is for.

why is tunneling X through firewalls noticably safer then just doing packet
filtering to allow it through?

Because it ensures proper endpoint authentication, encryption and ensures
(well, to some extent) that no malicious connections will be made through
the tunnel. At least does it better as packet filtering rules are static.

The same rationale applies for x11 gateways: most of them present a kind
of confirmation dialog for every new client connection.

I agree with the value of the authorization/authentication. encryption can be
valuble in some environments, in others it just eats up CPU cycles.

if the only answer is becouse it prevents someone from intercepting and
tinkering with the TCP datastream then it's only relavent in some situations
and
you are saying that in others it's perfectly safe to just do packet
filtering.

remember, just becouse everyone is doing it, it may not be safe.

It is not, as nothing is safe, but sometimes it is acceptable risk ;-)

I agree, however I see a mindset creeping in that if you just encrypt it then
it must be safe, and so I question statements like 'X is unsafe, but if you
tunnel it through SSH then it's safe'

by the way, for those who are new to X, it allows programs to communicate with
each other, even from different machines if they share a display. for a trivial
example of this take two linux boxes, configure them to both use the same
display (through whatever mechanism, including through SSH). then try to
startup firefox on both machines (ideally, pass it a URL to start with)

what you will find is that when you try to start it up on the second machine it
detects that you already have it running on the first machine and instruct that
copy of firefox to open a window to the URL you told the second machine to
display.

David Lang

remember almost everyone thinks that firewalls are just packet filters and
have
no business actually looking at the packets that they let through.

Not us ;-)

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: What is The SSH?
    ... Building and Using SSH Tunnels ... What is an SSH tunnel? ... how to use it to make a connection to a server. ... You will need a working SSH client and server installation to build and test ...
    (microsoft.public.windows.server.networking)
  • Re: Real Survivalists Dont Do Windoze
    ... I'm on a Red Hat Linux laptop running TightVNC over a ssh tunnel ... 'Source port' is your port of choice for your VNC-client to connect. ...
    (misc.survivalism)
  • RE: HOWTO Ping LAN???
    ... SSH to the box, and tunnel to other internal machines ... > network is by tunneling. ...
    (freebsd-questions)
  • SSH TCP forwarding: works with v1, not with v2 ssh
    ... that they're setting up the tunnels with no problem, ... I can get to the work ssh daemon: ... debug1: Connections to remote port 65002 forwarded to local address palimpsest:22 ... something answers (if I get "connection refused" there's no listener); ...
    (FreeBSD-Security)
  • Re: Help with VNC Please....
    ... I don't use VNC through a SSH tunnel but I have used Remote Desktop through a SSH tunnel in the past. ... Al Jarvi (MS-MVP Windows Networking) ...
    (microsoft.public.windowsxp.work_remotely)