Wednesday, June 9, 2010

A Little Bit About Firewalls and SSH Tunneling

Broadly speaking, there are three types of firewalls. First, there are stateless firewalls that simply filter traffic based on IP and port. Second, there are stateful packet filtering firewalls that keep track of the traffic between computers, thereby looking at traffic more contextually, but still filter largely based upon IP and port. Finally, there are application proxy firewalls, which are the most secure.

Most companies employ the second option -- stateful packet filtering firewalls. They work something like this: When you browse the web, your computer initiates a connection to the webserver. The firewall keeps track of this outbound connection and when the webserver responds the firewall allows traffic coming back to your computer that contains the webpage.

An application proxy is more intrusive and also secure. When you browse the web, your request from the webpage reaches the firewall like before. However, this time, instead of just allowing your traffic through and keeping track to allow the return traffic back in, the firewall says, "Hold on. I'll go get your webpage for you." The firewall then connects to the webserver and comes back with the data, which it then hands back to your computer. Your computer and the webserver never talk to each other directly.

FLG, you ask, what's the point of all this?

Well, my previous employer had an application proxy firewall, which was extremely restrictive. My current employer has a packet filtering firewall. This allows me to create an SSH tunnel to a linux computer at my house and then access my Windows computer at home using a Remote Desktop Connection.

FLG, you ask, what's the point of all this? Actually, I have no idea. I can use my home computer when I need or want from my desk at work?

Technically, the tech geeks probably could block me from doing this with a packet filtering firewall or allow it with an application proxy firewall, but in practice it's less likely.

2 comments:

The Ancient said...

Have you read this?

http://polishlinux.org/apps/ssh-tunneling-to-bypass-corporate-firewalls/

The tech guys could block you from doing this if they cared to (and knew how), but the more pertinent question is, would your employer care?

(There's also the prior question of how much your computer usage is being monitored, with or without authorization.)

P.S. I finally saw the car you asked about, and knowing whose car it is, I doubt there was any irony whatsoever devoted to the choice of license plate.

FLG said...

The Ancient:

No, I hadn't read that. However, if I'm really pressed and pissed, then I'll do DNS tunneling.

So you solved the mystery of the car! It's bittersweet because I kept up hope that it was more interesting.

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.