|
Posted by on July 5, 2004, 5:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>we have been asked by a division to open a port on the firewall to
>allow ssh tunnelling from the internal network to remote servers.
>this is for support purposes and will re-direct html and telnet that
>are 'currently' unix ... the remote servers are not maintained by
>anyone with a brain so its safe to assume they will not be kept upto
>date with os patches etc, and theres always the chance that these
>could change to a w32 platform without us knowing.
>
>i just need someone to clarify or correct me in some of my concerns ..
>
>my problems with doing this are, other than putting destination ip
>address rules on the firewall you loose all control from a security
>admin point of view. another concern is lets say the os changes to
>win32 (theres no reason why they would/need to tell us this), but if
>they start re-directing all ports then you then open yourself up to
>passing windows worms etc right ? .. or even any unix exploits on an
>unpatched system ..
>
>the other problem being this could be used to bypass all the corporate
>browser config and go via the tunnel on a go anywhere internet
>connection ..
>
>thoughts people ?
It's a tunnel. Unless the inside server is properly configured, then
yes they can punch very large holes in your firewall.
-Chris
| 
XML site map