firewall SOCKS https

Harmen van der Wal harmen.wal "at"
Thu, 14 Jun 2001 12:23:40 +0000

Jonathan Morton wrote:
> I would suggest talking to your network admin.  If you can't make him
> understand what SSH is and why it's a good thing, talk to his manager
> about getting a new network admin.  Of course, if he has good, logical
> reasons why he doesn't want SSH going, that's up to him and his security
> policy and there won't be a great deal you can do about it.  Remember to
> point out any work-related things you need to do using VNC.

SSH encrypts, provides spoof protection and authenticates hosts.
So we all know SSH is an excellent security tool. But let's take
a look from a company network perspective. Let's assume a
security policy was implemented, that only allows
proxy-authenticated users to connect out using http (and https,
and maybe ftp too), and allows users to send and receive mail
through local mail servers. Why was such a policy chosen? Not
because the allowed network applications are very secure by
nature, but probably because it is much safer to exclude all
network applications but a limited few, because otherwise users
might start using all kinds of neat stuff, that might turn out to
pose a security risk. Now, allowing SSH tunnels would not be in
accordance with this restrictive policy.

So using a SSH tunnel for some service on for example your home
PC, may be secure from your perspective, but it would be a
security breach nevertheless, if you're using SSH with for
example a HTTP tunnel.

Now as far as connecting out of a company network with a
vncviewer is concerned, that seems to be pretty harmless to me. A
Java applet without any special privileges can do it, so I
wouldn't worry about it if I were a network admin (no file
transfers, restricted network access, and all that). You would
need a proxy for rfb though, if the security policy insist upon
an application-level-gateway/-proxy.

My 2ct.

To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at"
See also: