Hi David,

You say "This has made it almost impossible to work with the system"; If the new policy is prohibiting you from being completely productive then I think you have a case and you should escalate to decision makers in your company. If it adds a task to your procedure (ssh once, then ssh again) then most managers will say it's ok to do this to respect certain security requirements.

I think that no matter how many reasons the list here gives you regarding ssh tunneling, I suggest that you have a 'friendly' chat with your IT security folks to get the reason behind their new policy.

The one thing I can think of that your security department may use as argument is that people can use different internet services inside ssh tunnels through port forwarding and this can cause viruses and other malware to enter your network infrastructure.

Cheers,

--
Edmond Baroud
IT Infrastructure Architect



----- Original Message ----
> From: David M. Kaplan
> To: secureshell@securityfocus.com
> Sent: Friday, October 17, 2008 11:23:19 AM
> Subject: is ssh tunneling a security risk?
>
> Hi,
>
> My IT department is really heavy on security. From outside the
> building, they have a rather complex system setup so that you can get
> around the firewall and ssh into a single machine. From there, you have
> to ssh into the machine you want to use.
>
> To simplify things, I have been using a tunnel to hop from my machine
> directly (through the tunnel) to the machine I want to use in the
> building. This has worked fine until a couple of days ago when IT
> decided to prohibit tunneling for "security reasons" (attempting to use
> the tunnel now responds with "channel 3: open failed: administratively
> prohibited: open failed"). This has made it almost impossible to work
> with the system.
>
> What I am wondering is exactly what "security risk" does an ssh tunnel
> pose? I thought you used an ssh tunnel to enhance security, not the
> other way around. Can someone give me a reason why it is a risk to
> leave this open or give me good arguments that I can forward to IT for
> why they should not prohibit tunneling?
>
> Thanks,
> David
>
>
> --
> **********************************
> David M. Kaplan
> Charge de Recherche 1
> Institut de Recherche pour le Developpement
> Centre de Recherche Halieutique Mediterraneenne et Tropicale
> av. Jean Monnet
> B.P. 171
> 34203 Sete cedex
> France
>
> Phone: +33 (0)4 99 57 32 27
> Fax: +33 (0)4 99 57 32 95
> http://www.ur097.ird.fr/team/dkaplan/index.html
> **********************************



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com