Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

At work (a huge organisation) I found a server on the LAN that opens SFTP connec

ID: 659848 • Letter: A

Question

At work (a huge organisation) I found a server on the LAN that opens SFTP connections to 2 servers across the Internet.

I assume the remote hosts are in the other parties DMZ.

I know you are not supposed to do this but I am not sure of the associated risks.

How much more risky is it to SSH (SFTP) to a remote host from your LAN than from your DMZ.

About the only thing I can think of is having the firewall rule that allows it could allow someone on this side to setup a reverse SSH session so they could get on the LAN from the outside with no audit trail.

Thanks. sean

Explanation / Answer

You've identified the main risks:

You're contacting a foreign host/network.

It is very easy to create a reverse tunnel using SSH (so the remote party can get to you)

(3. Communication stream is encrypted) ... my additional risk.

With regards to LAN vs. DMZ. Well.. of course, it all depends. On some LANs there might be more inspection with regards to outbound connects (?). I mean, it really depends on your own setup, policies, etc.

Anytime you have "trusted" going to "non-trusted" (no matter what zone), you have the risks already mentioned. Encrypting the traffic doesn't really matter as much, though it can often times confuse the issue (makes people forget that whole "trusted" going to "non-trusted" issue).

But, "are you supposed to do this?"

You effectively said "no", but again, it all depends. The Internet is essentially a public trusted network. We use it because it's there. Not because it provides safety. Thus, by definition, by default, it's certainly in the "untrusted" category for most companies. But maybe we get enough benefit to mitigate (perception wise) the risks (??).

Firewall wise, btw, when an connection is initiated from the company (trusted) to the outside (untrusted), it is very difficult to "block" any nastiness. And because the communication is encrypted, I'd say it is very very very difficult.

Related Questions

At what rate must a rocket burn fuel in order to achieve an upward acceleration
Question #1365660
At what rate must heat be supplied to 15.0 kg\'s of air, if the temperature is i
Question #703781
At what rate must the potential difference between the plates of a parallel plat
Question #1509933
At what rate r of continuous compounding does a sum of money triple in 70 years?
Question #2845594
At what rate will a pendulum clock run on Saturn, where the acceleration due to
Question #1769522
At what speed (m/s) would a 1140-kg car have the same momentum as a 12.600-kg tr
Question #2049824
At what speed do a bicycle and its rider, with a combined mass of 100 kg, have t
Question #1287604
At what speed does a clock move if it is measured to run at a rate two-fifths th
Question #1402544

Navigate

Previous
At winds speeds above 100cm/sec significant sand moving events begin to ccur. wi
Next
At work I use both Mac OSX (laptop) and Windows (desktop). I frequently have to

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.