Re: Merry Christmas from the FreeBSD Security Team

On 12/23/11, Peter Jeremy <peterjeremy@acm.org> wrote:

> I thought everyone had but an acquaintance explained that he has to
> run telnet because his employer doesn't permit any encrypted outside
> access so the employer can monitor all traffic.

It is possible to run ssh on port 23.  This can be a good way to run a
"more secure telnet" service.

This might not work if the firewall does deep packet inspection on the
telnet traffic.

As usual, be cautious in doing this.

On Fri, 23 Dec 2011 at 17:12 -0000, Oliver Pinter wrote:

> The solution for this situation is BalaBit SCB.
>
> http://www.balabit.com/network-security/scb

This had me scared for a bit, but it looks like an interesting box.

It seems intended to control/audit/log ssh (and other protocol)
administrative access to systems you own and control.  It can play
man-in-the-middle if you are willing to give it your host private
keys.  It looks like it can also man-in-the-middle if you accept it's
own host keys (e.g. don't already have the host public key or don't
verify the fingerprint on a new public key).  In other modes of
operation you know you are connecting to this device and it then
forwards connection on to the remote systems.

It could probably be abused to used on outgoing connections, but I
doubt is has the necessary capacity for large traffic volumes.  Since
outside systems shouldn't give out their private keys, it should be
obvious if something like this is in use.

Stuart Barkley
-- 
I've never been lost; I was once bewildered for three days, but never lost!
                                        --  Daniel Boone
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"