Posts Tagged ‘network’


Talking to your IT admins

21 June 2008 – 16:02 CDT

Looking for thoughts/ideas on how to talk to an IT admin. Started a job a few weeks ago where basically everything outbound except http and https are blocked. This means that ssh tunneling does not work. The traffic is packet inspected by the firewall and the http proxy requires authentication, so just moving ssh to port 443 doesn’t work either. The web traffic is filtered, so many things are blocked including gmail.

I’ve looked into solutions like corkscrew but it looks like it is going to take me a combination of ssh-over-https-proxies to get through it, because some of the tools only support Basic auth and the ISA server only accepts NTLM, Kerberos, and something else. It would be much easier to get to my box at home with its “library of files and tools” if they would just open up port 22.

I’m looking for anyone with ideas on how to talk to the IT admin staff about this. I’ve emailed them several times, and am not getting any response at all. I even included my MAC addresses and suggested they just unblock those. I’ve talked to my supervisor, and so far no luck – they mostly just don’t know what to do about it and the answers provided by the IT team range from the absurd to just dumb. Unfortunately, this is the same IT staff who:

- don’t know that terminal services is running on one of the windows 2003 servers I need access to (or insist that it isn’t running on the system at all)
- apparently when their company bought our company, dismantled the VPN because it was “insecure”
- set up a remote terminal services system exposed to the internet with the entire thing locked down (only one app is available, and the start menu is useless) as a solution for VPN/remote access.
- block gmail because it “has viruses”
- refuse to give the software developers, including those writing drivers, admin rights to their windows box

I don’t know who is responsible for these guys or who made up these “policies” but it seems like they just do whatever they want. My impression is that this team (who work out of the parent company’s office) is led by a guy who only cares that giving local admin rights to anyone would supposedly cause him to have to do more work to fix broken systems. Obviously that means that he is actively interfering with the business process of the org, but since no one seems to know what to do about it I’m throwing it out there to the three readers of this journal :)

How would you talk to your IT administrators about opening up port 22? Unblocking gmail? Putting the VPN back up? The only way the developers have admin rights on their own computers is the local VPs have domain admin rights to log in and let us reconfigure our own boxes – but this is not something we discuss with or even talk to the IT people about, which I don’t think is right, but we don’t seem to have much choice because they’re basically uncooperative. The local folks can’t modify the network or add new services like VPN though.

So how would you talk to windows sysadmins and convince them that they’re being unreasonable?

Posted in Tech | 3 Comments »

No more spying

18 October 2006 – 20:58 CDT

So I came across a page last night titled SSH Tunneling For Dummies. Now I’m no dummy, but there are a few things I still don’t know. I was hunting for an easy way to tunnel my IM traffic to an external system, outside of my corporate network, to keep Big Brother out. Francks’s setup assumes that you just want to proxy out your web browsing. But what if you could do more?

It turns out that Gaim supports the use of a SOCKS proxy. I don’t recall ever having used one of these before, but I figured I’d give it a shot. Turns out that openSSH can act as a SOCKS server. I had no idea. The bottom line is that any client application which supports the use of a SOCKS proxy can be tunneled over SSH.

This means that a) the traffic looks like ssh traffic to anyone watching and b) the traffic itself is encrypted until it reaches the SOCKS proxy. It works amazingly well. The easiest way really on a win client system is to install cygwin and make sure that the ssh packages get installed. Then you just have to 

ssh -Dlocalport username@desthost

where localport is something >1024 (to avoid conflicts) like 1080. It doesn’t really matter to the network which port you choose. Anyone watching will only see that you’ve got an outbound ssh connection to a remote server. If they look carefully, they may see that your system is listening on 1080, so picking a high random port may or may not make more sense. Or there is probably a way to bind the listener only to 127.0.0.1.

Obviously, this won’t stop your boss from peering over your shoulder. But it will stop the corporate network hounds from sniffing your traffic.

Posted in Tech | No Comments »

eth0:1

31 May 2006 – 18:26 CDT

Well, remember kids – taking down the physical ethernet interface with

# ifdown eth0

will also take the virtual interfaces such as eth0:1 down with it. And if you don’t have any other network enabled interfaces available – you’ve just taken your server offline :)

Posted in Tech | No Comments »