Blocking SSH is a weak solution. Many places I know allow telnet through their firewalls and block ssh. Since I never allow telnet on any of my servers I run SSH on both ports 22 and 23 so that these people can still reach our servers. Unless you are running an application firewall that explicitly checks the telnet protocol then you are not safe. The same ideas have been around for years on port 80. MS DCOM Tunneling is one of the worst allowing full application client to server communication in packets wrapeed by http headers so that they can traverse your proxy or firewall's on port 80. I am still waiting for the trojan that makes use of these features and the intrinsic MS Dcom security model. Derrick
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Alex Bligh Sent: Sunday, July 09, 2000 3:43 PM To: Greg A. Woods Cc: rmeyer@mhsc.com; nanog@merit.edu Subject: Re: "top secret" security does require blocking SSH
woods@weird.com said:
Unfortunately we're rapidly approaching (if we're not already there) a state of affairs where it is impossible to technically prevent inbound and outbound covert channels
No. We are just rapidly approaching the point where people realize it has always been the case that this is impossible.
-- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)