Re: Detecting a Tunnel Over SSH?

Thanks for all the feedback everyone. I got my answer today. One
thing I should have clarified is that the server in the DMZ is behind
my own firewall. I control it and there are no other processes on it
monitoring for tunnels.

But the answer is really simple. I connect outbound on port 22 to my
dmz host, but what I did NOT know is that it is via an SSH proxy and
that is how they detected the tunnel. The admin (who happens to be a
SANS presenter) explained everything to me :)

closed issue. Thanks for the help :)

Gary Huntress

On Fri, Jul 17, 2009 at 6:13 PM, Rob Wilcox<robertwilcox@xxxxxxxxx> wrote:
Did the office install a strict egress/ingress ruleset or a proxy that may
be blocking your tunnel port?  I only suggest this as I have to assume you
are initiating the tunnel on a different port than 22/tcp.

-Rob

On Thu, Jul 16, 2009 at 6:37 PM, Gary Huntress <gary.huntress@xxxxxxxxx>
wrote:

Hi,

Let me start right off by saying I am not trying to circumvent the
security policy of my office, even though this will sound like that's
what I'm trying to do.   My office recently instituted a very strict
firewall policy which forbids tunneling traffic.

Prior to that, I would use putty from my XP desktop to reach a server
in our DMZ.   I would have an ssh session open for hours and I would
often tunnel traffic to administer a sybase database.   With the new
policy I can still establish and maintain an ssh session for as long
as I want but my connection is instantly closed if I try to tunnel.

What I would like to know is, how is the tunnel detected?   I've
always assumed that once my ssh session is made that every packet
would be completely encrypted, even the headers of the tunneled
packets.  So even if the tunnel used GRE (or whatever) it would be
encrypted too.   Clearly that's not the case.

So, how is my tunnel detected?   And no I'm not going to keep trying,
this is a fireable offense!

Gary H.



Relevant Pages

  • Re: Trent & Mersey in the ice
    ... Flesh sticking to the metal parts of the lock gear at one point - either ... both boats frozen in. ...   Gave up for the day and everyone else went off ... assumed that the 'No Mooring' signs in the concrete tunnel were intended ...
    (uk.rec.waterways)
  • Re: Trent & Mersey in the ice
    ... Flesh sticking to the metal parts of the lock gear at one point - either ... both boats frozen in. ...   Gave up for the day and everyone else went off ... assumed that the 'No Mooring' signs in the concrete tunnel were intended ...
    (uk.rec.waterways)
  • Re: ipip Tunnels always up?
    ... even with a random destination ip. ... and this is the tunnel status, still Up Up even after 10 minutes: ...   Hardware is Tunnel ... looks like IP in IP tunnels do not support keepalives. ...
    (comp.dcom.sys.cisco)
  • Re: Suggestions on accessing an embedded box
    ... Embedded boxes in the field need periodic remote access ...   from the factory to grab log files, install new software, etc. ... StrongVPN.com advertises they can provide a tunnel with ... outbound connection from in back of the telecom NAT, ...
    (comp.os.linux.networking)
  • Re: Taxi from airport to Caesars
    ... "tunnel" a bad route to Caesars? ...   .....or should I just slap him around a little as we go thru ... I don't care which route ...
    (alt.vacation.las-vegas)