[svlug] Firewall Tunnel v0.2

J C Lawrence claw at kanga.nu
Tue Jun 12 23:25:02 PDT 2001

On Tue, 12 Jun 2001 22:18:21 -0700 
Marc MERLIN <marc_news at valinux.com> wrote:

> I should add just for the record that in many companies, you will
> get fired and maybe prosecuted if you get caught using programs
> like this.

While literally true, its not universal.  At the last three
companies I've worked at I've explicitly asked about setting up SSH
port forwards into the corporate network and other such
arrangements.  In all three cases the answer was:

  "You do it, you're responsible for it.  As long as I (IS) never
  have to hear or know about it, I'm fine."

In two cases there was brief discussion about what sorts of measures
and care I should take (ie did I have any clue).  In one case they
started out by running a portscanner against my desktop, found
precisely two ports open (SSH and SMTP) and took that as evidence
that I has clue.  In all cases it was clear that underneath there
was a realisation that there was nothing they could do to either
stop or detect me if I did such, and that therefore they were much
better off having me tell them up front and thus them knowing, than
it happening clandestinely.

> While it benefits the user who's using this, it of course puts the
> whole company at risk by putting an unmanaged and unprotected
> tunnel back in the company if the remote host gets compromized.

We're basically dealing with a port forward in the case of the tool
discussed.  Unlike a VPN, that's not a wide open door into the

Yes, it extends your security perimeter by exposing an internal
system to unmonitored/unfiltered/etc traffic on the forwarded port.
Given that the port forward is initiated from inside the firewall to
the outside terminus, compromise of the outside terminus does not
actually extend or otherwise affect your internal security model any
further than it was already stretched.  In the case of the port
forward, compromise of the external terminus gives no particular
greater access to the port forward than vie a secure terminus, so
there's no loss there.  

That is *UNLESS* there are other second order behaviours which
leverage that exposure such as shared passords between the
compromised system and the internal end of the port-forward which
can be otherwise exploited to leverage access into the controlled
LAN (eg same root PW inside and outside).  But that is a discovery
vector more than an exploit vector.

J C Lawrence                                       claw at kanga.nu
---------(*)                          http://www.kanga.nu/~claw/
The pressure to survive and rhetoric may make strange bedfellows

More information about the svlug mailing list