[Cialug] Question about ssh over ssl and clever firewalls.
Kenneth Ristau
cialug@cialug.org
Fri, 21 Jan 2005 04:22:53 -0600
Don Cady wrote:
> I'll throw my hat in the yes ring, but add that most firewalls probably
> don't have such a rule included with them. A rule or script would need
> to be written, and using it might impair some of their legitimate
> trafffic. I can't imagine it's very common. (please go ahead and prove
> me wrong)
>
> Don
True indeed. I'm not purporting that this is a standard or even common
thing -- just possible. Taking the path of least resistance, most
ultra-paranoid net admins would likely just whitelist all their
"trusted" ssl sites, thus negating the need for a firewall rule like
this. If you're trying to run an ssh connection over ssl and you aren't
on the "trusted" list. . .
It would be interesting to see what such a firewall rule would do in a
production environment. Would there be false negatives, so to speak, on
legitimate ssl connections? Might be a good topic to explore at the
next meeting if anyone is interested. Set up a firewall, craft some
rules and have lug members try to hit a gaggle of ssl sites through it.
later,
kristau