Date: Fri, 14 Aug 2020 08:29:53 +0200 From: Polytropon <freebsd@edvax.de> To: "Steve O'Hara-Smith" <steve@sohara.org> Cc: Aryeh Friedman <aryeh.friedman@gmail.com>, =?ISO-8859-1?Q?Andr=E9?= Boon <freebsd@andreboon.nl>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Message-ID: <20200814082953.7647b2f6.freebsd@edvax.de> In-Reply-To: <20200814065701.2b390145ac6d189161bc31b4@sohara.org> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> <CAGBxaX=XbbFLyZm5-BO=6jCCrU%2BV%2BjubxAkTMYKnZZZq=XK50A@mail.gmail.com> <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com> <CAGBxaX=CXbZq-k6=udNaXTj2m%2BgnpDCB%2Bui4wgvtrzyHhjGeSw@mail.gmail.com> <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <CAGBxaX=9asO=X32RucVyNz5kppPhbZc9Ayx-pyiXMBi85BeJ6w@mail.gmail.com> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 14 Aug 2020 06:57:01 +0100, Steve O'Hara-Smith wrote: > On Fri, 14 Aug 2020 00:43:12 +0200 > Polytropon <freebsd@edvax.de> wrote: > > > On Thu, 13 Aug 2020 16:12:18 -0400, Aryeh Friedman wrote: > > > They have a whacko firewall config that will eat 443/decrypt it/forward > > > it on as plain http via a proxy on the firewall > > > > So what you're saying is: They don't care about security, > > in fact, they're making things worse, by being the "man in > > the middle"?! Wow... > > It is a very common corporate firewall technique, and appropriate > in that context. But for a hosting company it seems odd. > > > "Boohoohoo! SSH is so insecure, we must not allow that!" > > Again many corporate firewalls don't allow ssh out (or in directly) > because tunnelling bypasses the firewalls. And again it seems odd for a > hosting company. Exactly my impression. For a regular "boring paper office", such limitations are not a surprise, and seem to work fine, eliminating a few of the most common attack vectors. Smear a few gallons of snake oil on the whole IT infrastructure and perform security theatre twice a month, and everyone will be happy. And look at the shiny new ISO-9660 certificate we have bought! Again, as a _hosting_ service, the decisions mentioned above, especially with no usable workaround ("Due to security considerations, we do offer a different way of doing this.") is really strange. VPN can help to a certain degree, but crippling the networking between VMs (and of the VMs to the outside where the devices are located which needs to be communicated with) looks quite contrary to what one would assume a hosting company would be doing... but hey, what do I know, I'm just a stupid old man... ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200814082953.7647b2f6.freebsd>