On Wed, 2006-11-01 at 01:11 -0500, Horvath, Kevin M. wrote:
> [...], so now onto SSH. SSH shouldnʼt be allowed as this should only
> be done via your LAN (specifically a an ADMIN VLAN or better yet an
> OOB connection) or over an IPSec tunnel. Yes its encrypted once the
> tunnel from the client to the server has been built but why should you
> allow anyone to attempt to make this connection externally? Itʼs a
> recipe for disaster. So even if you filter by source IP then there is
> the potential to be spoofed and then if you are running an older
> version of SSH that is vulnerable to a remote exploit you are sunk.
While I agree with most of your post, I don't think the last statement
is valid. I could counter that you should never let IPsec in from the
outside, especially since the disclosure of the more IPSec flaws not too
long ago. Why would you want to expose your network like that?
SSH is a VPN protocol like others. It had flaws in the past, but so does
IPSec. So do other VPN protocols. There is no absolute security, which
I'm sure you know. SSH can be very safe on the Internet. Many words have
been written on secure SSH configurations, so I don't see a problem
using SSH as a VPN protocol. Personally, I'm more afraid of IPSec,
especially since everyone assumes it's safe when in reality it is not.
Regards,
Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
signature.asc
Description: This is a digitally signed message part
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|