Actually, it isn't so hard. Northgrum.com has firewall, moat, alligators, and free-fire kill-zone <g>. I will also never take them on as a client again because of it. I just can't be disconnected from my business in chunks of time that large. Oh yeah, they also don't allow off-site work. Aerospace/DOD is feeling the pinch though. But, this latest LLNL thing has really caused them to think long and hard about some serious issues. Yes, if there is any way to bypass the wall, including Xircom CardBus (LAN port plugged into the LAN and modem port connected to a Nokia 6185, via DLR3 datacable, dialed into an external Internet server.) then covert ops are assured, as well as almost undetectible. The only way to stop that is a mil-grade PCS jammer. The Nokia uses spread-spectrum so intercepts are very difficult. I wonder if anyone has suggested this to the investigators of the Nat labs?
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Alex Bligh Sent: Sunday, July 09, 2000 1:12 PM To: Derrick Cc: nanog@merit.edu Subject: Re: "top secret" security does require blocking SSH
"Derrick" <Derrick@anei.com>
Blocking SSH is a weak solution.
I wrote:
No. We are just rapidly approaching the point where people realize it has always been the case that this is impossible.
I meant it has always been the case that blocking covert channels of communication was technically impossible. You can tunnel ssh or equivalent through email wordcounts if you really feel the need. I'm not an expert, but there is good information theory that says once you allow more than trivial bit rates in/out of an organization, blocking covert communication encapsulated one way or another becomes extremely hard.
-- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)