Thanks for all the feedback everyone. I got my answer today. One thing I should have clarified is that the server in the DMZ is behind my own firewall. I control it and there are no other processes on it monitoring for tunnels. But the answer is really simple. I connect outbound on port 22 to my dmz host, but what I did NOT know is that it is via an SSH proxy and that is how they detected the tunnel. The admin (who happens to be a SANS presenter) explained everything to me :) closed issue. Thanks for the help :) Gary Huntress On Fri, Jul 17, 2009 at 6:13 PM, Rob Wilcox<robertwilcox@xxxxxxxxx> wrote: > Did the office install a strict egress/ingress ruleset or a proxy that may > be blocking your tunnel port? I only suggest this as I have to assume you > are initiating the tunnel on a different port than 22/tcp. > > -Rob > > On Thu, Jul 16, 2009 at 6:37 PM, Gary Huntress <gary.huntress@xxxxxxxxx> > wrote: >> >> Hi, >> >> Let me start right off by saying I am not trying to circumvent the >> security policy of my office, even though this will sound like that's >> what I'm trying to do. My office recently instituted a very strict >> firewall policy which forbids tunneling traffic. >> >> Prior to that, I would use putty from my XP desktop to reach a server >> in our DMZ. I would have an ssh session open for hours and I would >> often tunnel traffic to administer a sybase database. With the new >> policy I can still establish and maintain an ssh session for as long >> as I want but my connection is instantly closed if I try to tunnel. >> >> What I would like to know is, how is the tunnel detected? I've >> always assumed that once my ssh session is made that every packet >> would be completely encrypted, even the headers of the tunneled >> packets. So even if the tunnel used GRE (or whatever) it would be >> encrypted too. Clearly that's not the case. >> >> So, how is my tunnel detected? And no I'm not going to keep trying, >> this is a fireable offense! >> >> Gary H. > >
