-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cameron Simpson wrote:
>Personally I would opt for the "allow outbound ssh to a set of trusted >users" approach if possible. At my workplace we're fairly fortunate; most >of our users are either category 1, and thus in the trusted class. Most >others are category 3 and can be told why we don't like them to forward >whatever weird dangerous protocol they wanted and how to arrange their >specific need more safely. Our few category 4 users don't know enough >to want ssh outbound. The problem there, of course, is that unless you are able to guarantee that your users cannot install any software of their own, your category 4's can always get around this. Even if they don't know enough to want to try (which is generally a dangerous assumption, btw), they're also the most likely to fall prey to malware and viruses, which could pretty easily open up forwarders of their own, depending on the environment. And that makes restricting the capability of one particular client application relatively unhelpful, though if you're paranoid, Rick's idea of restricting outbound _destinations_ via the firewall sounds more effective. But that's pretty hard to do in a large organization. All of which brings me back to why I react the way I do to the suggestion that cleartext behind a firewall is safe. Except in the most rigidly controlled environments (and my compliments if you have created one), any naive user behind your hard, crunchy firewall can circumvent it, intentionally or accidentally. And once that happens, your soft, chewy center is worm food. A large percentage of Code Red infections happened on firewalled, NAT'ed networks! (Yes, I know, that's got nothing directly to do with cleartext passwords, but it illustrates the potential.) Cheers -d - -- David Talkington PGP key: http://www.prairienet.org/~dtalk/0xCA4C11AD.pgp -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQA/AwUBPJPZt79BpdPKTBGtEQImTACfSaqElVejpB/IEbB7nCuJvDH3fEQAnA2n 4ASsZ6E9J1LxhCs2FD1bD5I/ =+SsT -----END PGP SIGNATURE----- _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
