[過去ログ]
菅野美穂 part28 [転載禁止]©2ch.net (420レス)
上
下
前
次
1-
新
このスレッドは過去ログ倉庫に格納されています。
次スレ検索
歴削→次スレ
栞削→次スレ
過去ログメニュー
409
: 2015/03/10(火)12:10
ID:W0fAy0Xd0(2/4)
AA×
[240|
320
|
480
|
600
|
100%
|
JPG
|
べ
|
レス栞
|
レス消
]
409: [sage] 2015/03/10(火) 12:10:48 ID:W0fAy0Xd0 Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S SL or IPSec transmissions. All of these VPN solutions can typically be tunn eled through any TCP po rt. This can lead to additional access being provided thro ugh a network perimeter without the knowledge of the local IT group. SSH is a multi-platform VPN solution. While it is typically used as a secure replac ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit y to tunnel any TCP base d application. As of the beginning of 2006, support for tunneling UDP , ICMP as well as other IP transports was added in as well. nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi guring the browser to use a proxy server located at the loopback address. When the user browses the Web, the connection req uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized. SSH is not an evil tool p er se'. In the hands of a system or security administrator it can be an invaluable tool t hat helps to augment security as well as simplify many daily tasks. The problem with SSH is that in the hands o f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w ell as exposing intern al services to outside atta ck. The problems revolve around SSH's ability to tunnel other I P applications. These can be forward tunnels (used to forward application informati on up to the server) or rever such a way that it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul d permit this user to circumvent your content checks.To start , the use r needs access to an external system running both an SSH server as well as an HTTP proxy server. Both of these services can easily be depl top with it co nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi guring the browser to use a proxy server located at the loopback address. When the user browses the Web, the connection req uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag ain, TCP/443 is SSH's reverse tunnel capa bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti on requests sent to the S SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti on requests sent to the S and specify http://anago.5ch.net/test/read.cgi/actress/1423765704/409
上
下
前
次
1-
新
書
関
写
板
覧
索
設
栞
歴
あと 11 レスあります
スレ情報
赤レス抽出
画像レス抽出
歴の未読スレ
AAサムネイル
ぬこの手
ぬこTOP
0.249s*