Yeah, that makes sense

For years now, my employer has not allowed ssh out their firewall. But they do have a telnet relay where you telnet to a particular server in the DMZ, and then telnet from there outside. Yeah, believe it or not, they think ssh isn’t secure (or more likely, have never heard of it because it’s not part of a default Windows installation) but telnet is ok. Of course, imap, pop and nntp aren’t allowed either. Heck, even DNS isn’t allowed – you can’t resolve any external domain names from internal machines.

And because I don’t run a telnet server on my home server, I have to telnet to their relay, then telnet to a friend’s server, and then ssh from there. But that’s what I go through in order to access my home email, Usenet, check files on my home server, and do a million other things.

Today I got the word – no more telnet access unless you can make a business case for it. The smarmy email from corporate IT says “please try to find a more secure means of communication”. Well, sure, I’d happily switch to a more secure means of communication IF YOU HADN’T FUCKING BLOCKED THEM ALL AT THE FIREWALL.

3 thoughts on “Yeah, that makes sense”

  1. Depending on the setup, ssh/https might be quite a lot less suspicious, esp. with an sshd on 443 somewhere.

    Though a big company probably makes the classic man-in-the-middle attack on https, for virus-scanning and url-filtering purposes.

    cheers,
    &rw

  2. Might almost be a case for a portable device with wireless email/ssh/browser, so that your personal communications don’t touch the work network at all. Granted, that pushes your costs up (though does let you have access when you’re elsewhere too), and there may be issues with anti-camera rules and trying to find something that doesn’t have one. You really don’t want to be caught bypassing the work firewall or breaking the rules for the corporate network, so stepping entirely aside from it may be the safer path.

Comments are closed.