Hi - thanks for the reply - and I appreciate the examples.
But there might be some confusion.
Suppose I only have 1 out bound port open, say port 80, on the office LAN.
Then I go home and configure my Linux machine to run SSH on port 80.
If I return to the office LAN, what is to prevent me from using sftp
to transfer sensitive information from the office LAN to my Linux
machine at home?
-- Agile
Ok, now I get your point better.
I'm not sure how IPFilter can help you in this case - being that
it is a filtering firewall and a NAT service. Hopefully the other
list members can help out with this, Similar questions have
been raised over the past year, but I'm not sure they came to
certain conclusions.
You might take a look in direction of NAT proxy services, i.e.
an FTP proxy which inspects FTP traffic to dynamically open
additional (random) ports for data transfer.
There's also a "match" capability. If I'm not greatly mistaken
(which I can be), this feature allows to inspect several bytes
of the first packet of a new tracked connection (keep state).
For example, it would allow you to check that your new
connection is an HTTP request and reject binary SSH
traffic.
It would not forbid you to stream SSH over HTTP to an
applet, for example, or between a specially crafted
"HTTP-enabled" SSH client and server, but would
probably help against simple cases.
Likewise, I think HTTPS for example would look like any
other SSL channel, be that SSH or SMTPS or OpenVPN,
so you wouldn't find it easy to differentiate that.
--
+============================================================+
| |
| Климов Евгений, Jim Klimov |
| технический директор CTO |
| ЗАО "ЦОС и ВТ" JSC COS&HT |
| |
| +7-903-7705859 (cellular) mailto:***@cos.ru |
| CC:***@cos.ru,***@mail.ru |
+============================================================+
| () ascii ribbon campaign - against html mail |
| /\ - against microsoft attachments |
+============================================================+