hi ya ron
got me confused/worried now ... hummm...
my understanding is the following...
- from home(remote), we ssh into a gateway machine
and than from it, ssh into local machines at the company...
my understanding is that all traffic is encrypted...
from "remote" to the "inside host" is still encrypted
( am not worried about temporary decrypting before passing it on )
from
remote# ssh ssh.corp.com
than
ssh# ssh inside_host
if some [cr/h]acker gets into ssh.corp.com or the firewall
than we're snoopable and a sitting duck... in which case there is
bigger problems than just firewall/ssh/vpn issues
and nope... we dont "watch the contents of all the packets" ...
- one particular customer's security policy is too silly
that there is no point to having a firewall..
have fun linuxing
alvin
yes.. i know some ssh has been cracked... and been a victim
of my own stupidity for not updating it too.. good for testing too in my
book and learning/watching/monitoring...
On Wed, 27 Feb 2002, Ron DuFresne wrote:
> On Wed, 27 Feb 2002, Alvin Oga wrote:
>
> [SNIP]
>
> > dumb question ...
> > - why is VPN needed ??? ssh seems to do everything i need
> > - if its (VPN) for network neighborhood to go browsing...
> > shoot it/kill it/stomp it (network neighborhood)...
> >
>
> Unless ssh is terminated on the outside <so it's decrypted prior to
> enterning the network> dgillett's point was you do not really know what is
> passing across the firewall or network perimiter. Thus, most folks tend
> to do their VPN terminations outside, on a controlled DMZ system, so that
> the decrypted traffic can be subject to the rules of the perimiter
> inspection tools in place to enforce the sites security policy. SSH
> through the perimiter devices tends to tunnel traffic mush as HTTP does,
> making it hard to inspect and know what is traversing the outside
> connection<s>. Unless of course I read his last response to you
> incorrectly, Few admins these days feel comfortable in trusting their
> users to know and do the right things on traffic they can not inspect,
> they all tend to want to snoop the wires inside and out...
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
