piercing corporate FW outbound
Michael ODonnell
michael.odonnell at comcast.net
Fri Feb 6 14:09:30 EST 2004
> I know you are upset because there is something you want to do and
> the IT group is blocking you,
No. I'm "upset" because terms of an agreement are
being violated. One's opinion of those terms is
irrelevant - the agreement was made under no duress
by supposedly competent adults acting as authorized
agents and it therefore ought be honored.
> but it sounds like they are doing a pretty good
> job at locking down the perimeter.
(sigh!) If only that were true - then this mightn't
be so galling. Unfortunately, the corporate IT
infrastructure is perpetually a mess (directly
traceable to the Microsoft-centric mindset, though
nobdoy seems to get that) and shutting down the channel
in question smells strongly of Microsoft-centric
contempt rather than informed, considered behavior.
> For the record, outbound SSH _can_ be a security risk. I seen
> people use it for everything from tunneling porn to avoid content
> checking, to setting up a reverse 80/TCP connection so an internal
> private server was exposed on a home cable network for anyone
> to access.
Right. Understood. But that's a POSSIBLE risk, with
no known instances in-house, in contrast to the daily
horror inflicted on us by all the MS-related problems.
> What is you business need for requiring outbound SSH? Why not
> work with your boss to state your case and get the policy changed?
My business case is simple, as already mentioned: I agreed
to sell my services to this business under certain terms,
and blocking my access violates those terms.
As an aside, I'll mention that yes, I do actually use the
channel daily for purposes that further my ability to do my
job, but that's irrelevant because it's not up for debate -
that opportunity passed once the agreement was made.
>> Oh, I forgot to mention that there's a Nortel
>> Contivity VPN rig involved, and they want me to go
>> through that, and there's supposedly support for some
>> Linux modules that allegedly work with it,
>
>Probably a simple IPSec connection. You can use FreeSwan
>or its built right into the 2.6 kernel.
Interesting. Has anybody ever seen FreeSwan interoperate
with the VPN implementation in Nortel Contivity switches?
More information about the gnhlug-discuss
mailing list