[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH Blocking

On Sun, 1 May 2005, Nicos Gollan wrote:

> On Tuesday April 26 2005 07:51, Alvin Oga wrote:
> > i log into any machine around the world and vice versa ...
> > but only with "known and trusted boxes" ...
> >
> > you can always convert dynamic ip# into static ip# and continue from that
> > known proxy
> And how exactly does that take logging into a trusted box from a potentially 
> untrusted one out of the equation? You're merely moving the original problem 
> to a proxy (which might get compromised as well), not solving it. When you 
> are on a dynamic IP, you can't just push a button to get a static, trusted 
> one, but you might still need to log in to your database server to restart a 
> crashed service.

that is precisely why i do NOT permit dhcp and dynamic ip# .. etc..etc..
or vpn or wireless  ....
	- if corp IT doesnt maintain it, they dont get to use it to
	get into the corp IT's machines ( behind the fw )

but for those folks that do insist that they want for example to read
corp mail from the hotel and airport, you need to give the ceo/and other
boss's a way to come in ... on the outside of the firewall ..

	- it'd be less likely that the cracker will break into
	the proxies and multiple accounts on different machines
	before they get in ..  but it's still 100% possible for
	the determined cracker which is beyond the scope of most
	corp it budgets

	- risk analysis vs productivity .. :-)  let them decide ...

c ya

Reply to: