zlacker

[parent] [thread] 4 comments
1. jamesp+(OP)[view] [source] 2017-02-28 12:44:16
Why would anyone competent allow unrestricted ssh through the corporate firewall?
replies(2): >>simias+e2 >>acdha+Gb
2. simias+e2[view] [source] 2017-02-28 13:13:30
>>jamesp+(OP)
In my experience many companies simply filter based on port number. Run your external sshd/openvpn on port 80 and you're good to go. But of course that's going off topic since TFA is obviously about middleboxes actually intercepting and analyzing the traffic.

In truth though if you start considering your employees like the enemy it's just a never ending upwards battle, especially if your employees are comp-sci folks. You could tunnel SSH over HTTP or even DNS if you cared enough.

replies(1): >>daxelr+9B
3. acdha+Gb[view] [source] 2017-02-28 14:46:06
>>jamesp+(OP)
Ask what goal they're trying to solve: is it really because the IT people want to monitor everyone's web surfing or do they have something like an audit requirement? There are a LOT of people in the latter camp who need to check the box to say they comply with some policy, regulation, etc.

Similarly, good security people know that port filtering is a losing game unless you are willing to restrict everything to a known-safe whitelist – the malware authors do work full-time on tunneling techniques, after all – and may be focusing their efforts on endpoint protection or better isolation between users/groups.

◧◩
4. daxelr+9B[view] [source] [discussion] 2017-02-28 17:41:20
>>simias+e2
How does the threat model where employees are the enemy differ from the threat model where malware running inside the network is the enemy?
replies(1): >>simias+VC
◧◩◪
5. simias+VC[view] [source] [discussion] 2017-02-28 17:50:50
>>daxelr+9B
You want your employees to collaborate with you avoiding and tracking down malware and potential leaks. If everybody is used to working around your restrictions you just make it harder for you to figure out what's happening when something goes wrong.

For instance if your policies are too restrictive people will use their smartphones more and more to access the internet. Then some will start doing work stuff on their smartphones and you lose all control. What do you do then? Forbid smartphones within the company? Fire everybody you catch using one? It's just an arms race at this point.

Sane security measures and some pedagogy go a long way. Easier said than done though, it's a tough compromise to make.

[go to top]