Date: Sat, 24 Dec 2011 16:21:06 -0500 (EST) From: Stuart Barkley <stuartb@4gh.net> To: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team Message-ID: <alpine.BSF.2.00.1112241603370.24400@freeman.4gh.net> In-Reply-To: <CAPjTQNExAg5UrtvcH3rsX_S_Odjuhi=wRLL7BpgR_SwJR706HA@mail.gmail.com> References: <4EF4A120.1000305@freebsd.org> <20111223195713.GA61589@server.vk2pj.dyndns.org> <CAPjTQNExAg5UrtvcH3rsX_S_Odjuhi=wRLL7BpgR_SwJR706HA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/23/11, Peter Jeremy <peterjeremy@acm.org> wrote: > I thought everyone had but an acquaintance explained that he has to > run telnet because his employer doesn't permit any encrypted outside > access so the employer can monitor all traffic. It is possible to run ssh on port 23. This can be a good way to run a "more secure telnet" service. This might not work if the firewall does deep packet inspection on the telnet traffic. As usual, be cautious in doing this. On Fri, 23 Dec 2011 at 17:12 -0000, Oliver Pinter wrote: > The solution for this situation is BalaBit SCB. > > http://www.balabit.com/network-security/scb This had me scared for a bit, but it looks like an interesting box. It seems intended to control/audit/log ssh (and other protocol) administrative access to systems you own and control. It can play man-in-the-middle if you are willing to give it your host private keys. It looks like it can also man-in-the-middle if you accept it's own host keys (e.g. don't already have the host public key or don't verify the fingerprint on a new public key). In other modes of operation you know you are connecting to this device and it then forwards connection on to the remote systems. It could probably be abused to used on outgoing connections, but I doubt is has the necessary capacity for large traffic volumes. Since outside systems shouldn't give out their private keys, it should be obvious if something like this is in use. Stuart Barkley -- I've never been lost; I was once bewildered for three days, but never lost! -- Daniel Boone
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1112241603370.24400>