Re: Reading Ding in Gnus

[Alan Shutko <ats@acm.org>]

dsg@mitre.org (David S. Goldberg) writes:

> > If you can convince your sysadmin to open outbound ssh (which is
> > about as far from a security risk as can be), you can either
> > redirect ports, or set up a PPP tunnel.
> 
> Was there a smiley missing?  That PPP tunnel is a complete subversion
> of the firewall.

No, it's not.  My PPP tunnel won't allow anything into the network,
and my machine won't packets to it.  All it does is let me contact
certain services that our firewall blocks.  If you view a firewall as
a tool to prevent use of services by people inside it, yes, I'm
undermining it.  If you view a firewall as a tool to protect against
outside intruders, I'm not "completely subverting" the firewall.

Now I hear you saying "Why would the firewall administrator block
outgoing POP if he didn't care if you used it?"  Good question, which
is why I asked him.  He didn't know, just sounded like a good idea at
the time (like blocking all ICMP).  In any case, he knows about my PPP
tunnel and has no problem with it.

Naturally, doing things this way will involve communication with the
firewall admin, so I don't see any problem with it.  If the admin
doesn't go for it, it isn't going to happen.  But personally, I don't
think that (implemented correctly) this is more of a security concern
for the company than executives forwarding all their mail to hotmail
so they can access it on the road.

-- 
Alan Shutko <ats@acm.org> - In a variety of flavors!
When nothing can possibly go wrong, it will.