In fact, it is the security policy that needs to be fixed. You can
perform out-bound telnet, so you can certainly send files out via
[XYZ]modem, kermit, etc. In fact, if you have a machine on the outside
that doesn't need to run telnet services, you can start sshd listening
on port 23 instead of port 22 and use scp through the firewall to your
heart's content. I have to wonder if passive-mode FTP is even
blocked.
The fact is that as soon as _any_ IP connection can be made, it gets
very difficult to block outbound file transfer. Possibly the firewall
could block sustained outbound traffic in some way, and that would
block ssh, kermit, ftp, etc to a limited extent.
In general though, all this does is give the management a false sense
of security. It doesn't stop the rogues from stealing information, it
doesn't even provide an audit trail of what information was stolen.
All it does is frustrate the staff who are trying to get their work
done.
I have to ask: are personal searches are performed when leaving the
building? I can fit a lot of data on a DDS-4 tape and I can easily
hide tape, cables, controller and drive in a brief case. Do they even
stop people carrying laptops to and from work?
Andy
--
Andrew Fullford Email: [EMAIL PROTECTED]
August.Net Services, LLC Web: www.august.net
> From: "Damien Miller" <[EMAIL PROTECTED]>
> To: "H. Wade Minter" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, March 7, 2001 6:10 AM
> Subject: Re: Block scp, allow ssh?
>
> > On Tue, 6 Mar 2001, H. Wade Minter wrote:
> >
> > > I've got an odd situation that may not have a solution, but I
> > > figured I'd ask anyway.
> > >
> > > Due to corporate requirements, my company's firewall policy blocks
> > > outgoing file transfers (FTP puts), but allows FTP gets and outgoing
> > > telnet. I don't like using telnet for the obvious reasons, so I
> > > suggested they enable outgoing SSH.
> > >
> > > They did for a few weeks, but killed it recently. When I asked why,
> > > they said it was because people can copy files out using scp without
> > > the firewall being able to monitor it.
> > >
> > > So my question is: Is there any way, on a firewall-type level, to
> > > block scp traffic, while allowing ssh and slogin? This would allow
> > > them to stop file copies, but let secure shells go through.
> >
> > There is no way to do this. By the time the firewall sees the connection,
> > its contents are encrypted.
> >
> > Furthermore, even if you were to somehow block the specific case of scp,
> > it would still be possible to copy files by cat'ing tar files about the
> > place. This is not unique to ssh, you can move files easily over just
> > about any connection (telnet included) using zmodem or kermit.
