Andy Piper <andyp(a)parallax.co.uk> writes:
At 01:04 05/01/99 -0800, Kyle Jones wrote:
>I have to wonder, living behind a corporate firewall myself at
>my day-job, how the person in charge of security would feel
>about this clever tunneling. Why is asking the company security
>guru to allow outbound connections to TCP port 443 not the right
>solution to this problem? Wriggling under the firewall might
>buy you some short term gain--- but it might also get you fired.
They'll probably not be very happy when I make our socks server able to
listen on mulitiple ports and we document how to make it run on port 443 to
achieve specifically the generic tunelling that andy is talking about. :)
Well there are two answers to this:
1. They can't fire me becuse I have already resigned :)
Where are you heading?
2. It seems many sysadmins are unhappy to do this. I don't know
why this
is but I know that setting up another proxy on our firewall is a pain
because it has to be a specific port for a specific location (so you need
a plug gateway for each cvs server you want to connect to). Allowing
access via the web-proxy is much easier to administer, but I couldn't
comment on the security implications. My sysadmin was happy to allow 2401
on the web proxy - but then he was also happy to add a plug-gateway for
cvs.xemacs.org. YMMV.
Sounds like you've got a pretty decent admin... consider yourself lucky
(for as long as you've got left there).
BillP might know more.
The quality of system administrators seems to have gone down drastically
(or the # of admins has gone drastically up, therefore dragging the average
_WAY_ down). This tends to lead to draconian `security' policies, as well
taking the easy way out and denying _all_ services and requiring a
`business case' to open up any service. I weep for the future.
I had to present such a case to allow _inbound_ telnet access from terminal
servers that WE OWNED AND CONTROLLED for all the unix people at SPRY after
compusuck bought us. The mind spins until it gets dizzy and pukes up a
mission statement I guess.
A little birdie once told me that an idiot MIS person put _BETA_ software
into production, bitched when something minor broke, and then could not do
the simplest things to help diagnose the problem (like change the logging
level) without getting written authorization from someone 3 rungs higher on
the MIS ladder, who happened to be on vacation. Not that we'd sell
software to someone that stupid. Never. In fact, that was fictional! I
swear.
ObXEmacs: Is XEmacs Y2K compliant? :)
-Bill "Stream of Consiusness Today" Perry