On Mon, 15 Dec 2008, Nix wrote:
On 14 Dec 2008, Jakub Narebski spake thusly:
BTW. is outgoing SSH transport (from network to outside) blocked as
well?
*No* ports are open. All they have is a (non-transparent) buggy HTTP
proxy. These guys really don't get the Internet, despite their sales
literature banging on endlessly about it.
Looks like a lot of git-bundling is in my future.
no ports being open and a non-transparent HTTP proxy doesn't tell me that
they don't get the Internet. They could get the Internet just fine and be
suitably paranoid about it. Controlling outbound traffic is actually a
good thing in the current era of botnets (it prevents any of the machines
in that company from participating in a botnet if they can't reach the
command system)
the fact that the proxy is buggy could be an issue (I'm curious about what
types of bugs you are running into, what you see as a bug may not be)
if there is a business reason for the developers on that network to be
accessing resources on the Internet there should be a way to request that
the appropriate ports get opened. if the answer from the security folks is
'no' you should ask them why not and what could be done to get the job
done.
it may be that they don't want to provide access out from a bunch of
desktops. If that is the case it may be appropriate to build a box to put
into the DMZ that pulls from the upstream and then the inside desktops
pull from this gateway system.
the saying goes "don't attribute to malice what can be explained by
incompetence", but along the same lines in the security field, don't
attribute to incompetence what can be explained by people doing their jobs
that are ignorant of the requirements. they may also be operating under
constraints that you don't know about.
David Lang
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html