1

Before I ask my question I would like to point out I am a web developer who normally uses Stack Overflow and new to Sever Fault, I think this is best place for this question.

I have recently started a new job, and among other things my IT department are reluctant to allow Putty access to the internet.

I am confident that there is a genuine reason for this and am just interested to know their reasons. I can imagine allowing any program access on any port access to the internet could be a security threat, but is there any particular reason Putty could be dangerous.

Thanks in advance.

  • http://serverfault.com/questions/25545/why-block-port-22-outbound – Rob Moir Feb 04 '11 at 19:20
  • 2
    Hi, they're not blocking "Putty", that's an application to access SSH, which is what they actually are blocking. This has been discussed before - see link in other comment. – Rob Moir Feb 04 '11 at 19:20
  • 1
    Slightly disappointed to have my question closed, but reading up about port 22/tcp i can see that other question answers what im looking for. Is there somewhere for non sys admins like me to get advise like this? Thanks to all that answered. – Alan Whitelaw Feb 04 '11 at 19:52
  • Dont think you cant ask that question here, its a valid question if phrased properly. You just need to ask the question from the perspective of a system administrator for it to qualify here. ie "I'm being requested by my clients to block outbound port 22. Is there any reason for this?" Your question would have still been closed more than likely as its basically a dupe of another question, but you get the idea. – ErnieTheGeek Feb 04 '11 at 21:05

3 Answers3

2

I don't suspect it's PuTTY itself they are against, but the necessity to open a port on the firewall. Personally, we have a handful of users who need to use PuTTY to manage internal machines, and they are free to do that. If however they asked me to open the SSH port on the firewall, like your IT department I would be much more wary.

Have you actually asked them why? There's no need to be aggressive or confrontational, but a sensible "I appreciate your reluctance - could you please elaborate on your concerns, and can we chat about potential ways to mitigate the potential threat" (or words to that effect). You may be able to come to a compromise such that SSH is opened on the firewall, but only to certain explicitly defined external hosts.

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
  • I will be asking on Monday, but as a web developer and not a server administrator I wanted to make sure I had all the facts! Thanks for your answer, and advise. Thanks – Alan Whitelaw Feb 04 '11 at 19:48
1

reasons are probably as simple as this: is there any business justification for your ssh access to external servers? you can use it [via ssh tunneling] to circumvent whatever corporate internet access policies / screening they have in place [and might be obliged to have in place by some specific regulations].

side note: i'm quite glad that i don't have to work in such environment and do not have to apply such policies on our users.

pQd
  • 29,561
  • 5
  • 64
  • 106
  • This might well be the reason, as there is a lot of non technical staff so the need for restrictions is required. As I mentioned in my question, I am a web developer, so have genuine need to access servers, and was looking for arguments to put forward my case. Thanks – Alan Whitelaw Feb 04 '11 at 19:45
0

Well, using putty you are able to set up an encrypted tunnel to an outside host. This makes you immune to any kind of traffic inspection tools since you can set up a HTTP/HTTPS or Socks proxy on this outside host and break every corporate restriction using this proxy. But disabling Putty (actually 22/tcp traffic) seems to be a kind of security by obscurity. You can always set up an outside SSH server using a legitimate port, say 80/tcp or 443/tcp or even 53/udp.

Alex
  • 7,789
  • 4
  • 36
  • 51
  • Calling it "security by obscurity" is a little unfair. It's good common practice to close all ports you have no business need for and make open ones the exception. It's bad practice to do things the other way around and then go ahead and block SSH because they've heard scary things about it, sure, but we lack the information to judge them on this. – Rob Moir Feb 04 '11 at 19:34