Re: OpenSSH-Client without reverse tunnel ability

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello all.

First of all, I want to extend my sincere thanks to all the people who
came to the rescue so quickly.

In any case, there is obviously room for clarification on my part, so I
will try to describe the situation we had in more detail.

In short:
Employees used the openssh-*client* from *within* our company network to
create a *reverse* SSH tunnel, using an *external* SSH-Server. We
control the Clients but not the servers.
So, we wanted to restrict our *Clients*.

Of course, we are aware of other tools like socat or employees who can
compile openssh on their own, but our aim was not to make data
exfiltration impossible, as this would, indeed, mean disconnect from the
internet.
Obviously, I failed to emphazise, that our employees did not break the
rules deliberately, but because they simply were not aware of the
impact, their actions had.
As a matter of fact, we often legitimately use SSH tunnels, also reverse
tunnels, in other situations. (I. e. not on our workstations.)
And indeed, we have the sign-it-with-your-blood-policy. The employees
did not understand, they were breaking it.
Suffice to say, that our case could have been prevented if the employees
would have gotten a notification. And since they use SSH by default
before they try anything else, this was our starting point.

In the end, we figured, the most general way to prevent such breaches
would be to restrict reverse tunnels on workstations, so the employees
are reminded that this is not allowed. (Since they always could use an
external SSH server to do nasty stuff.) Alternatively, any means of
monitoring reverse tunnels would be an improvement.

However, I gathered this is not possible, right now and cannot easily be
added as feature. As far as I am concerned, my question is therefore
answered and we will have to find another solution.


Thanks again to all of you and best regards

Jan Bergner

-- 
________________________________________
*Jan Bergner, M.Sc. *
Software Engineer
 
*indurad GmbH*
*The Industrial Radar Company*
 
Belvedereallee 5
52070 Aachen, Germany
Office: + 49 241 538070-61
Front Desk: + 49 241 538070-0
Fax: + 49 241 538070-99

jan.bergner@xxxxxxxxxxx
www.indurad.com <http://www.indurad.com/>
_______________________________________


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux