ssh holes? Trojans?

[Gregory Hicks <ghicks () cadence com>]

We have a requirement to monitor, for legal reasons, everything that
goes off the company network.

Recently, we closed access to port 22 (ssh).  The reasoning was that we
could monitor things like ftp, telnet, mail, et al because when these
data streams crossed the firewall, they were '...in the clear
(unencrypted).'  And yes, I know that ssh can be tunneled on any other
port...

With ssh, the data stream is encrypted at the users workstation and
tunnels 'through' the firewall so we never get a chance to monitor it.

In addition, there have been 'strange' networks (like the internet)
showing up on our network monitoring facilities.  (None now, but there
may be again.)  Unfortunately, we have not been able to 'catch' anyone
'in the act' as it were...

Users have been infected with viruses that no-one else in the company
'catches'.

Anyway, we now believe that these 'occurrances' were caused when users
connected their home machines with their office workstations and
'stuff' on the home net crossed over to the corporate interface.

Now then, what we would like to do is to set up an ssh 'proxy' inside
the DMZ so that whatever is passed to the sshd on the proxy host
crosses our monitoring hosts 'in the clear'.

Does anyone know of such a beast?  Has anyone used it?  I only found an
unfinished section of C code...

After hearing from another source (an employee discussed our 'new'
policy with their SO at home), we 'heard' that there are ssh
'trojans'...  Any truth to the rumor?  I haven't been able to find any
info on this.

Assist appreciated in advance.

Regards,
Gregory Hicks

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards