I agree with Jared as well. Policy is the best option. What I described below is only two ways to do it. On Mon, 13 Oct 2003 duane@xxxxxxxxxxx wrote: > Yes it is possible and they can bypass any proxies in the middle. Someone > I know actually set that up so that their friend could bypass the > restrictions of their ISP. A person can setup an Apache server as a proxy > on a remote site and have it accept connections from the local interface: > 127.0.0.1. Then someone who has an account on that server can ssh in like > this: > > ssh -C -L 1080:127.0.0.1:80 <remote server> > > Then they can set their browser's proxy settings to: 127.0.0.1 port 1080 > > then anywhere they surf on the Internet will be over that SSH connection > and through the remote server running the Apache proxy. > > They could also use a program like cgiproxy to bypass the proxy at their > organization if they use SSL or use the same situation above. > > The way to catch it is to watch for continuous or frequent SSH streams to > a remote server outside the user's organization. > > On Mon, 13 Oct 2003, Bernard Hoffman wrote: > > > Hello all. > > > > A colleague asked me a question that I was unable to answer, so I thought > > one of you might be able to help. > > > > He asked me "is it possible for someone inside my organization to twart > > security by ssh tunneling thru my HTTP proxy server to a destination SSH > > server listening on port 80". I don't know what http proxy he's running and > > we didn't talk about SSL or 443 proxy - I'm assuming the same rules would > > apply. > > > > My initial reaction was "no, it's not a hole", but then I thought about some > > "less intelligent" proxies that don't inspect packet content... and that was > > the end of my expertise. > > > > Is it possible? or better question, is it likely? > > -=Berns > > > > > > ------ > > Bernard Hoffman > > Captive Capital Corp. (f.k.a. eMarket Capital, Inc.) > > http://www.captivecorp.com > > > > > > > > > > -- duane while [ !sleep ] sheep++ ; // Articles and stuff http://www.sukkha.info ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
