Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secureshell > 03 > 061206.html (Request Expert securityfocus.com Support)

Re: Securing ssh tunnels.

From: Roy S. Rapoport <rsr(at)inorganic.org>
Date: Thu Jun 26 2003 - 21:17:01 EDT

On Thu, Jun 26, 2003 at 04:07:51PM -0600, Ivan Chavero wrote:
> > access through their firewall but got turned down because it was too

It's a strange way to look at things, but it's actually quite valid, and in fact I interviewed yesterday at a place that has a need to do things this way.

Imagine you're working at a financial institution. You're very very very concerned about the ability people have to get bulk sensitive data and walk out of the company with it -- that's why you design your apps, for example, to not show all client details on the same page, because you want to increase the costs of getting full client details in a screen shot. You make sure your outbound email gets filtered aggressively (and manually), and only allow very limited outbound connections.

When dealing with a cleartext protocol (HTTP, telnet), your filters/proxies can exercise perfect control over what's going out, because they can inspect the payload. Your outbound connection has "ORCL" and "MSFT" in the payload? Well, maybe it'll have a little accident on the way ...

But with SSH/HTTPS, you're screwed -- there's no way to figure out what the user is sending out. It is, from your point of view, less secure, much like the government feels it's less secure for everybody to have cyphers the NSA can't crack.

It's not how I'd run the average software house, but it has a role in some environments.

-roy Received on Fri Jun 27 11:58:28 2003

Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:00 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library