Comments for Shaheen N Abdul Jabbar http://snajsoft.com Software Engineer > Security Officer > Security Architect Mon, 31 Oct 2011 09:00:30 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on Face Recognition Systems For Facility Access by Haider http://snajsoft.com/2011/01/03/face-recognition-systems-for-facility-access/comment-page-1/#comment-53 Haider Mon, 31 Oct 2011 09:00:30 +0000 http://snajsoft.com/?p=436#comment-53 Is the best Is the best

]]> Comment on Happy Holidays and New Year!! by Al Cronin http://snajsoft.com/2010/12/24/happy-holidays-and-new-year-2011/comment-page-1/#comment-52 Al Cronin Fri, 21 Jan 2011 02:21:05 +0000 http://snajsoft.com/?p=430#comment-52 Hi Shaheen - Great Website!!! Happy New Year!!! & best wishes to You and your family!!! Hi Shaheen – Great Website!!!
Happy New Year!!! & best wishes to You and your family!!!

]]> Comment on Prevent Reverse SSH by Derek Douville http://snajsoft.com/2009/02/12/prevent-reverse-ssh/comment-page-1/#comment-51 Derek Douville Fri, 07 Jan 2011 22:32:49 +0000 http://snajsoft.com/?p=26#comment-51 Glenn, allowing an outbound SSH connection to be established (eg. allowing TCP establishment out but not in as suggested above) doesn't prevent reverse tunnels, which allow the connection to be established to a remote host and subsequently allow traffic in either direction to flow unrestricted. This is the essence of the problem. Since SSH can run on any port, you would have to block TCP connection establishment on all ports for outbound, but since services like FTP, HTTP and HTTPS are often required to remain exposed, SSH can be directed to use port 80 or 21 for its outbound connection. This is why other respondents mention statefull inspection as a way of detection non-conforming traffic to what is expected on a given port (HTTPS or SSLv3 as Denes Magyar mentions). SSH tunnels cannot be positively detected because they are encrypted -- the traffic could be anything at all. I've been thinking about how a proxy server could be used to lock it down. Prevent SSH except to a white-list of hosts and trusted users and then allow other required, well-known services (http, https, ftp, smtp, dns, etc.) via stateful packet inspection. ...thing is, it's also possible to tunnel over DNS (google for "tunneling over dns"). It seems he only guaranteed solution is to drop all outbound traffic. Glenn, allowing an outbound SSH connection to be established (eg. allowing TCP establishment out but not in as suggested above) doesn’t prevent reverse tunnels, which allow the connection to be established to a remote host and subsequently allow traffic in either direction to flow unrestricted. This is the essence of the problem.

Since SSH can run on any port, you would have to block TCP connection establishment on all ports for outbound, but since services like FTP, HTTP and HTTPS are often required to remain exposed, SSH can be directed to use port 80 or 21 for its outbound connection. This is why other respondents mention statefull inspection as a way of detection non-conforming traffic to what is expected on a given port (HTTPS or SSLv3 as Denes Magyar mentions). SSH tunnels cannot be positively detected because they are encrypted — the traffic could be anything at all.

I’ve been thinking about how a proxy server could be used to lock it down. Prevent SSH except to a white-list of hosts and trusted users and then allow other required, well-known services (http, https, ftp, smtp, dns, etc.) via stateful packet inspection.

…thing is, it’s also possible to tunnel over DNS (google for “tunneling over dns”). It seems he only guaranteed solution is to drop all outbound traffic.

]]> Comment on Happy Holidays and New Year!! by Heather hynes http://snajsoft.com/2010/12/24/happy-holidays-and-new-year-2011/comment-page-1/#comment-50 Heather hynes Tue, 04 Jan 2011 14:43:51 +0000 http://snajsoft.com/?p=430#comment-50 Hi Shaheen, Happy new year to you and your family! May 2011 be good to you all. P.S. You have your own website? Cool. Looks great. cheers. HH Hi Shaheen,

Happy new year to you and your family! May 2011 be good to you all.

P.S. You have your own website? Cool. Looks great. cheers. HH

]]> Comment on Happy Holidays and New Year!! by Peter Bennett http://snajsoft.com/2010/12/24/happy-holidays-and-new-year-2011/comment-page-1/#comment-49 Peter Bennett Fri, 31 Dec 2010 14:44:26 +0000 http://snajsoft.com/?p=430#comment-49 Hi Shaheen Thanks for the greetings. Happy holidays to you. I am doing well at Pegasystems in Cambridge. Have a happy and prosperous new year. Regards peter Hi Shaheen
Thanks for the greetings. Happy holidays to you. I am doing well at Pegasystems in Cambridge. Have a happy and prosperous new year.
Regards
peter

]]> Comment on Happy Holidays and New Year!! by Hugh Gerechter http://snajsoft.com/2010/12/24/happy-holidays-and-new-year-2011/comment-page-1/#comment-48 Hugh Gerechter Wed, 29 Dec 2010 17:49:49 +0000 http://snajsoft.com/?p=430#comment-48 Shaheen and family -- best wishes for a happy and prosperous New Year Shaheen and family — best wishes for a happy and prosperous New Year

]]> Comment on Happy Holidays and New Year!! by Anita Geerts http://snajsoft.com/2010/12/24/happy-holidays-and-new-year-2011/comment-page-1/#comment-47 Anita Geerts Mon, 27 Dec 2010 21:57:16 +0000 http://snajsoft.com/?p=430#comment-47 Hi Shaheen, I'm lovin your website...so interesting. Are you having a great holiday? I hope so. Have lots of fun, laughter and amazement this Christmas season. Best wishes to you always, Anita Hi Shaheen,
I’m lovin your website…so interesting.

Are you having a great holiday? I hope so. Have lots of fun, laughter and amazement this Christmas season.

Best wishes to you always,
Anita

]]> Comment on Happy Holidays and New Year!! by Joseph http://snajsoft.com/2010/12/24/happy-holidays-and-new-year-2011/comment-page-1/#comment-44 Joseph Sat, 25 Dec 2010 09:45:57 +0000 http://snajsoft.com/?p=430#comment-44 Thanks for your Greetings. Wishing you too a very Happy Christmas and Happy New Year. Regards, Joseph Thanks for your Greetings. Wishing you too a very Happy Christmas and Happy New Year.
Regards,
Joseph

]]> Comment on Authentication – Level of Assurance by Tony Pham http://snajsoft.com/2010/06/07/authentication-level-of-assurance/comment-page-1/#comment-43 Tony Pham Mon, 16 Aug 2010 22:05:57 +0000 http://snajsoft.com/2010/06/07/authentication-level-of-assurance/#comment-43 an emerging opportunity for those who is tracking this space. There will be a market for Identity Assurance with organizations such as Kantara, Open Identity Exchange, and InCommon Federation which will utilize M-04-04 & NIST SP 800-63 to establish a framework for auditing the Identity Providers. Watch for this market "Identity Assurance Assessor" to establish next year. an emerging opportunity for those who is tracking this space. There will be a market for Identity Assurance with organizations such as Kantara, Open Identity Exchange, and InCommon Federation which will utilize M-04-04 & NIST SP 800-63 to establish a framework for auditing the Identity Providers. Watch for this market “Identity Assurance Assessor” to establish next year.

]]> Comment on Authentication – Level of Assurance by Ramesh Nagappan http://snajsoft.com/2010/06/07/authentication-level-of-assurance/comment-page-1/#comment-38 Ramesh Nagappan Wed, 16 Jun 2010 16:02:20 +0000 http://snajsoft.com/2010/06/07/authentication-level-of-assurance/#comment-38 Nice post, dude ! you may take a look at Kantara initiative - http://kantarainitiative.org/. They are trying to put all the old wine in a new bottle :-) /R Nice post, dude ! you may take a look at Kantara initiative – http://kantarainitiative.org/. They are trying to put all the old wine in a new bottle :-)

/R

]]>