Juniper SSL VPN FTW!
On Dec 7, 2009, at 9:48 PM, Steven Bellovin wrote:
>
> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>
>>
>> On Dec 7, 2009, at 5:29 PM, John Levine wrote:
>>
>>>> Will be interesting to see if ISPs respond to a large scale thing like
>>>> this taking hold by blocking UDP/TCP 53 like many now do with tcp/25
>>>> (albeit for other reasons). Therein lies the problem with some of the
>>>> "net neturality" arguments .. there's a big difference between "doing it
>>>> because it causes a problem for others", and "doing it because it robs
>>>> me of revenue opportunities".
>>>
>>> I do hear of ISPs blocking requests to random offsite DNS servers.
>>> For most consumer PCs, that's more likely to be a zombie doing DNS
>>> hijacking than anything legitimate. If they happen also to block
>>> 8.8.8.8 that's just an incidental side benefit.
>>
>> I've found more and more hotel/edge networks blocking/capturing this traffic.
>>
>> The biggest problem is they tend to break things horribly and fail things
>> like the
>> oarc entropy test.
>>
>> They will often also return REFUSED (randomly) to valid well formed DNS
>> queries.
>>
>> While I support the capturing of malware compromised machines until they are
>> repaired, I do think more intelligence needs to be applied when directing
>> these systems.
>>
>> Internet access in a hotel does not mean just UDP/53 to their selected hosts
>> plus TCP/80,
>> TCP/443.
>
> It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel
> http to a squid proxy, smtp, and as many IMAP/SSL connections as I really
> need...
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>
>
>
