A reminder of why companies need to block outbound SSH

Noted in a comment at SlashDot:

One day, I set up a PPP over SSH tunnel between my home computer, and my desktop at work. Transferring large binary files from my office network to my home computer was much closer to the original 3Mb/s speeds.

There is no legitimate reason for the above. I t would be a great opportunity for a malicious insider (e.g. to transfer proprietary data, to bypass access controls) or just a dumb-ass insider (e.g. to get around content filters).

Some sub-set of internal users may need SSH access to the organization’s servers that might be past the firewall. The right thing to do is have to have firewall rules to support that explicit user group and their destinations.

One Response

  1. I agree with your final paragraph, but I doubt the ability of management to actually be informed enough to know when to allow.

    I have been at jobs — and my wife is at one now — where desktops are “locked down,” and only pre-approved software is already installed. Often, this means the company did not install the help files. Or, in another case, a job may require an analyst to report or undercover statistical twins, and the desktop has two “statistical” programs: Excel and SQL Server data analysis pack.

    Corporate cultures tend to enforce mediocrity, which means in practice preventing works who know what they are doing from being productive, in order to prevent a middle age secretary from infecting the whole firm by installing a virus-laden LolCats toolbar.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: