On Mon, 2004-08-09 at 14:34, Chris Conacher wrote:
> 3. I understand that SSH is a great opportunity for tunneling attacks if an
> exploit is discovered, but I feel that there is it possible to manage this
> exposure through the existence of a DMZ based bastion host, rather than
> providing external people with access to the VPN.
If you configure the host-based firewall of the SSH server so that no
outbound connections are allowed, and further shield outbound (and
inbound of course) access with a network-base firewall, then I don't see
much ability for your users/contractors to misuse SSH for tunneling
purposes.
Keep your host security tight and perhaps only run a secure SFTP server,
and not the normal SSH server, so that folks can not log in and get a
shell (in other words, only provide SFTP service, not secure SHELL
access).
Hope this helps,
Frank
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 13 2004
Intro
