firewall SOCKS https

Harmen van der Wal harmen.wal "at" tip.nl
Thu, 14 Jun 2001 12:23:40 +0000


Jonathan Morton wrote:
<...> 
> I would suggest talking to your network admin.  If you can't make him
> understand what SSH is and why it's a good thing, talk to his manager
> about getting a new network admin.  Of course, if he has good, logical
> reasons why he doesn't want SSH going, that's up to him and his security
> policy and there won't be a great deal you can do about it.  Remember to
> point out any work-related things you need to do using VNC.


SSH encrypts, provides spoof protection and authenticates hosts.
So we all know SSH is an excellent security tool. But let's take
a look from a company network perspective. Let's assume a
security policy was implemented, that only allows
proxy-authenticated users to connect out using http (and https,
and maybe ftp too), and allows users to send and receive mail
through local mail servers. Why was such a policy chosen? Not
because the allowed network applications are very secure by
nature, but probably because it is much safer to exclude all
network applications but a limited few, because otherwise users
might start using all kinds of neat stuff, that might turn out to
pose a security risk. Now, allowing SSH tunnels would not be in
accordance with this restrictive policy.

So using a SSH tunnel for some service on for example your home
PC, may be secure from your perspective, but it would be a
security breach nevertheless, if you're using SSH with for
example a HTTP tunnel.

Now as far as connecting out of a company network with a
vncviewer is concerned, that seems to be pretty harmless to me. A
Java applet without any special privileges can do it, so I
wouldn't worry about it if I were a network admin (no file
transfers, restricted network access, and all that). You would
need a proxy for rfb though, if the security policy insist upon
an application-level-gateway/-proxy.

My 2ct.

-- 
Harmen
http://www.xs4all.nl/~harmwal/
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------