Telecommute through Aggressive Firewalls with SSH and Tunneling

Telecommute through Aggressive Firewalls with SSH and Tunneling

Problem: My office machine is behind a proxy firewall that disallows any outbound connections except FTP, Telnet, smtp, http, and httpd. It also does not allow any connections outbound that originate on the "privileged" (i.e., port numbers less than or equal to 1024) ports, no matter what service is requested on the outside. I live so far from my work site that dialing in to their terminal servers would be a long distance call, and yet I must be able to reach certain hosts and ports inside the office from my home in order to carry out my support duties . I also need to be able to do so in a manner that does not compromise the security so carefully set up by this firewall.

I've said it before, I'm a consultant. I work for many clients. Some of these clients are in industries where security is very important indeed. Some of these clients are dealing with Other People's Money. This trust, while not, perhaps, sacred, is certainly subject to heavy-duty laws, regulations, and consequences if abused.

Let's imagine I'm working for a bank, the Fifth State Bank of Refuse. Let's imagine that they have a firewall like the one just described in the problem. Believe it or not, the scenario described there is one I really had to deal with, although it was not a bank, let alone the Fifth State Bank of Refuse. Many firewalls shut you down cold from the outside, but I had never before encountered one that shut you down so cold from the inside.

We'll go through two distinct paths to show how connectivity of all kinds may be given through such a firewall. The first one will illustrate the principles and demonstrate the widest range of SSH capabilities, but, as we will discover, it has fatal flaws from a security point of view. The second method is less educational but fully secure.