Date: Fri, 14 Aug 2020 08:29:53 +0200 From: Polytropon <freebsd@edvax.de> To: "Steve O'Hara-Smith" <steve@sohara.org> Cc: Aryeh Friedman <aryeh.friedman@gmail.com>, =?ISO-8859-1?Q?Andr=E9?= Boon <freebsd@andreboon.nl>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Message-ID: <20200814082953.7647b2f6.freebsd@edvax.de> In-Reply-To: <20200814065701.2b390145ac6d189161bc31b4@sohara.org> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> <CAGBxaX=XbbFLyZm5-BO=6jCCrU%2BV%2BjubxAkTMYKnZZZq=XK50A@mail.gmail.com> <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com> <CAGBxaX=CXbZq-k6=udNaXTj2m%2BgnpDCB%2Bui4wgvtrzyHhjGeSw@mail.gmail.com> <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <CAGBxaX=9asO=X32RucVyNz5kppPhbZc9Ayx-pyiXMBi85BeJ6w@mail.gmail.com> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 14 Aug 2020 06:57:01 +0100, Steve O'Hara-Smith wrote:
> On Fri, 14 Aug 2020 00:43:12 +0200
> Polytropon <freebsd@edvax.de> wrote:
>
> > On Thu, 13 Aug 2020 16:12:18 -0400, Aryeh Friedman wrote:
> > > They have a whacko firewall config that will eat 443/decrypt it/forward
> > > it on as plain http via a proxy on the firewall
> >
> > So what you're saying is: They don't care about security,
> > in fact, they're making things worse, by being the "man in
> > the middle"?! Wow...
>
> It is a very common corporate firewall technique, and appropriate
> in that context. But for a hosting company it seems odd.
>
> > "Boohoohoo! SSH is so insecure, we must not allow that!"
>
> Again many corporate firewalls don't allow ssh out (or in directly)
> because tunnelling bypasses the firewalls. And again it seems odd for a
> hosting company.
Exactly my impression. For a regular "boring paper office",
such limitations are not a surprise, and seem to work fine,
eliminating a few of the most common attack vectors. Smear
a few gallons of snake oil on the whole IT infrastructure
and perform security theatre twice a month, and everyone
will be happy. And look at the shiny new ISO-9660 certificate
we have bought!
Again, as a _hosting_ service, the decisions mentioned above,
especially with no usable workaround ("Due to security
considerations, we do offer a different way of doing this.")
is really strange. VPN can help to a certain degree, but
crippling the networking between VMs (and of the VMs to
the outside where the devices are located which needs to
be communicated with) looks quite contrary to what one would
assume a hosting company would be doing... but hey, what do
I know, I'm just a stupid old man... ;-)
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200814082953.7647b2f6.freebsd>