piercing corporate FW outbound
Derek Martin
invalid at pizzashack.org
Fri Feb 6 15:31:00 EST 2004
On Fri, Feb 06, 2004 at 01:09:52PM -0500, Chris Brenton wrote:
> For the record, outbound SSH _can_ be a security risk.
So is HTTP, and it's a much more serious one than SSH, for a number of
reasons, including all the reasons SSH can be, and several more. But you
don't generally see people trying to block (outgoing) HTTP traffic.
You can do application-level filtering to help the problem, but even
that doesn't solve it if the mechanism used to make the reverse
"tunnel" actually uses legitimate HTTP traffic... Such a thing is
very possible, and I have personally seen it done. In fact, a company
I once worked for sold a remote support solution based on that very
idea.
> Content checking can be a wonderful thing. :)
But it doesn't solve every problem, and it can make new ones. As Mike
has discovered... ;-)
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.
Replying to it will result in undeliverable mail.
Sorry for the inconvenience. Thank the spammers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20040207/9b670591/attachment.bin
More information about the gnhlug-discuss
mailing list