Re: SSH Blocking
On Sun, 1 May 2005, Nicos Gollan wrote:
> On Tuesday April 26 2005 07:51, Alvin Oga wrote:
> > i log into any machine around the world and vice versa ...
> > but only with "known and trusted boxes" ...
> > you can always convert dynamic ip# into static ip# and continue from that
> > known proxy
> And how exactly does that take logging into a trusted box from a potentially
> untrusted one out of the equation? You're merely moving the original problem
> to a proxy (which might get compromised as well), not solving it. When you
> are on a dynamic IP, you can't just push a button to get a static, trusted
> one, but you might still need to log in to your database server to restart a
> crashed service.
that is precisely why i do NOT permit dhcp and dynamic ip# .. etc..etc..
or vpn or wireless ....
- if corp IT doesnt maintain it, they dont get to use it to
get into the corp IT's machines ( behind the fw )
but for those folks that do insist that they want for example to read
corp mail from the hotel and airport, you need to give the ceo/and other
boss's a way to come in ... on the outside of the firewall ..
- it'd be less likely that the cracker will break into
the proxies and multiple accounts on different machines
before they get in .. but it's still 100% possible for
the determined cracker which is beyond the scope of most
corp it budgets
- risk analysis vs productivity .. :-) let them decide ...