hi ya ( how-Dee ) ron
i think i follow what you guys are referring to...
- in one/most of my ssh stuff... i can sorta watching
both ends of the ssh connections .... remote site to
another remote site ..etc...
- nobody supposed to be able to ssh in unless
it trips the ids... but there is always somebody
that gets in or wants to lossen the policy for
their convinience ...
- just this past weekend... someone sent in a virus
from their laptop from home.... and made a mess at
the office... and they wonder why i jump up and down
about laptops from home for personal use at work...
- no point to it.. ??
- cant defend their house ... nor that laptop
that plugs into the corp lan..
- at least damage was limited from that incident
- yes... i too claim all machines to be secured as hard
as reasonable for the budget .... no such thing as
"throw away" .... but for fun .. i stick a win98 out there
for them to play with amongst other toys
- any hacked machine is typically a day or two of catchup
work to re-install or disinfect it...
and to also check the backups etc.etc..
- so the original question still is... i am still thinkin
all ssh traffic between two machines is encrypted...
and in our case, we dont care if each packet
is anyalyzed or not.... in my case... i trust
my machine connecting to the other remote machine
and nobody else supposed to be in it...
snooping the wire...should be a fun trick for soembody
and nobody there should be able to do it... they're
job is to do other things... not decrypt ssh stuff
- i primarily worry about keyboard routines being trojanned
- for me to trust any machine or network ...
- i built every machine in there...
- no others have root access ( within reason )
- no pop/telnet/ftp/ppp/vpn/wireless/dhcp/..
- actually ...i dont trust nothing... all login requires
passwds and pass phrases ... otherwise it doesnt get
to connect to the other box
- and stupidly... i think that there should be one or two
"throw away machines" to see what the kids are up to lately...
( typically generic installs w/ latest patches
- wish we can get the kinds of security budgets you guys seem to have..
have fun linuxing
alvin
On Thu, 28 Feb 2002, Ron DuFresne wrote:
> On Wed, 27 Feb 2002, Alvin Oga wrote:
>
> >
> >
> > hi ya ron
>
> Howdy alvin <smile>
>
> >
> > got me confused/worried now ... hummm...
> >
> > my understanding is the following...
> > - from home(remote), we ssh into a gateway machine
> > and than from it, ssh into local machines at the company...
> >
> > my understanding is that all traffic is encrypted...
> > from "remote" to the "inside host" is still encrypted
> > ( am not worried about temporary decrypting before passing it on )
> >
> > from
> > remote# ssh ssh.corp.com
> > than
> > ssh# ssh inside_host
> >
> > if some [cr/h]acker gets into ssh.corp.com or the firewall
> > than we're snoopable and a sitting duck... in which case there is
> > bigger problems than just firewall/ssh/vpn issues
> >
>
> Yes, the DMZ system <ssh.corp.com> has to be hardened and monitored.
> Hardened to rpevent compromise, and many folks tend to take earlier papers
> and articles that DMZ systems are throwaways far too literally. This day
> in age, with VPN;s and E-commerce and E-biz and such, this should not be
> the case, these should be hardened systems with a specialized service
> offered, with an IDS and I'd also recomend, a file integrity scanner run
> onc or more times a day such as tripwire. DMZ systems are far more
> important these days if for only the reson they tend to be what the
> outside world comes to know as company.com. And a compromise of such
> systems tends to not only cost time in fixing these systems, but also
> costs in company reputation<s>. Take the NAI web servers that
> [EMAIL PROTECTED] discovered with issues, and how poorly they responed to
> the first posting he made resulting in his second posting on the same
> hosts <Subject: Pgp.com was exposing ... information Date: Wed, 6 Feb
> 2002 and Date: Thu, 7 Feb 2002 To: [EMAIL PROTECTED] >. This
> is besides the fact these systems, if compromised can be used to
> infiltrate the inside systems in many cases and are almost always used to
> poke and prod at other systems on the internet, which further serves to
> hurt the attacked companies reputation.
>
> but, the original point here is that you can better manage your own
> policy by decrypting at the DMZ and then letting them inside then you can
> by keeping all traffic encrypted. Unencrypted traffic can then be
> managed by the rules in your firewall. If it's reencypted, it can't
> be fully thus managed. Though your scenario looks better then some I've
> seen and worked with...
>
> >
> > and nope... we dont "watch the contents of all the packets" ...
> > - one particular customer's security policy is too silly
> > that there is no point to having a firewall..
> >
>
> Your weakest link is the other guy on the far end of your ssh VPN here.
> If their policy is as insecure as you claim, they are the route insiide
> your systems, and thus a BIG risk. I'd not let their traffic in for that
> very reason.
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
