Re: Securing ssh tunnels.

From: Darren Reed (avalon_at_caligula.anu.edu.au)
Date: 06/25/03

  • Next message: Greg Norris: "Re: DSA VS RSA" 
    To: chuck@milams.net (Chuck Milam)
Date: Thu, 26 Jun 2003 05:24:28 +1000 (Australia/ACT)

    In some mail from Chuck Milam, sie said:
    >
    >
    > On Wed, 25 Jun 2003, Darren Reed wrote:
    >
    > > In a recent encounter with another company, we attempted to get ssh
    > > access through their firewall but got turned down because it was too
    > > insecure.
    >
    > I think perhaps the term "too insecure" is not quite right here. In
    > actuality, what they are saying is that SSH is TOO SECURE, so they can't
    > spy on what is traversing their networks.

    I'll just answer on this bit by saying that transparency leads to
    accountability which provides assurances about content giving you
    the ability to determine the security of information flow enforcement.

    A good example of how transparency leads to security is some movie
    with Richard Gere (set in China) is where he goes into their some
    room in the US embassy where all the walls are see through and it
    is suspended in mid air (kinda). You can see that there aren't any
    bugs in the ceiling or walls of that room.

    Anyway, that's getting beyond the point. Yes, I'm aware of things
    that do multiplexing over telnet sessions, they date back to the
    early 90s (if not earlier), on linux. Their existance isn't the
    problem, it's the perception that ssh is a security hole, that is.

    I suppose what I was hoping for as an answer was "here's this encrypted
    telnet-session-like protocol that doesn't support tunnelling" that I
    could sell as being secure from evesdropping when data crosses untrusted
    networks but not a compromise of firewall policy enforcement due to
    there being no default mechanism to support tunnelling. A favourite of
    mine when I have web hassles but can ssh out is to ssh out to somewhere
    that I port forward my browser to an external proxy :)

    Cheers,
    Darren

  • Next message: Greg Norris: "Re: DSA VS RSA"

    Relevant Pages

    • Re: [Full-disclosure] Why Vulnerability Databases cant do everything
      ... best to relegate programming to a ... is a big difference between these two views of information security. ... but not nearly as important as designing secure systems. ... My favorite example to illustrate this point - ssh. ...
      (Bugtraq)
    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: Secure Way of Remotely Viewing a Desktop...
      ... Remote Administrator (aka RAdmin) from Famatech. ... With respect to security, Famatech claims all data ... VNC tunneled through SSH ...
      (Security-Basics)
    • Questions on secure remote access to Fedora Core 2
      ... I am somewhat new to Internet security solutions in general and Linux ... I am setting up a server with Fedora Core 2 (there are specific reasons ... What is the most secure method I can use to give these individuals access ... under ssh. ...
      (comp.os.linux.security)
    • Re: Security basics
      ... I won't trust SSH alone. ... special iptables rules, and SELinux, to enhance the security of my ... I'd be interested to know what SElinux policy changes you've ... utility which sets up a client on the machine seeking the connection ...
      (Fedora)