5ちゃんねる ★スマホ版★ ■掲示板に戻る■ 全部 1- 最新50  

■ このスレッドは過去ログ倉庫に格納されています

菅野美穂 part28 [転載禁止]©2ch.net

1 :名無しさん@お腹いっぱい。:2015/02/13(金) 03:28:24.92 ID:IQ0rFn0z0
Part26、27からの次スレはこちらになります。
全角数字の25、26スレのほうは
厄介者が立てたスレなので書き込まないでね。


公式 菅野美穂 official web site
http://www.ken-on.co.jp/kanno/

出演情報
http://www.2.meetv.jp/p/bin/pc_search.cgi

前スレ→ログ速で「菅野美穂 part」で検索
菅野美穂 part27
http://anago.2ch.net/test/read.cgi/actress/1416552100/

※sage必須
※コピペ荒らし「韓西」はスルーで

371 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:05:18.56 ID:ulogFmWM0
今の下宿には斯(か)ういふ事が起つた。半月程前、一人の男を供に連れて、下高井の地方から出て来た大日向(おほひなた)といふ大尽(だいじん)、飯山病院へ入院の為とあつて
、暫時(しばらく)腰掛に泊つて居たことがある。入院は間もなくであつた。もとより内証はよし、病室は第一等、看護婦の肩に懸つて
長い廊下を往つたり来たりするうちには、自然(おのづ)と豪奢(がうしや)が人の目にもついて、誰が嫉妬(しつと)で噂(うはさ)するともなく、『彼(あれ)は穢多(ゑた)だ』といふことになつた。
忽ち多くの病室へ伝(つたは)つて、患者は総立(そうだち)。『放逐して了(しま)へ、今直ぐ、それが出来ないとあらば吾儕(われ/\)挙(こぞ)つて御免を蒙る』と腕捲(うでまく)
りして院長を脅(おびやか)すといふ騒動。いかに金尽(かねづく)でも、この人種の偏執(へんしふ)には勝たれない。ある日の暮、籠に乗せられて、夕闇の空に紛れて病院を出た。籠は其儘
(そのまゝ)もとの下宿へ舁(かつ)ぎ込まれて、院長は毎日のやうに来て診察する。さあ今度は下宿のものが承知しない。丁度丑松が一日の勤務(つとめ)を終つて、疲れて宿へ帰つた時は
、一同『主婦(かみさん)を出せ』と喚(わめ)き立てるところ。『不浄だ、不浄だ』の罵詈(ばり)は無遠慮な客の口唇(くちびる)を衝(つ)いて出た。『不浄だとは何だ』と
丑松は心に憤つて、蔭ながらあの大日向の不幸(ふしあはせ)を憐んだり、道理(いはれ)のないこの非人扱ひを慨(なげ)いたりして、穢多の種族の悲惨な運命を思ひつゞけた――丑松
もまた穢多なのである。
 見たところ丑松は純粋な北部の信州人――佐久小県(さくちひさがた)あたりの岩石の間に成長
した壮年(わかもの)の一人とは誰の目にも受取れる。正教員とい
ふ格につけられて、学力優等の卒業生として、長野の師範校を出たのは丁度二十二の年齢(とし)の春。社会(よのなか)へ突出される、直に丑松はこの飯山
へ来た。それから足掛三年目の今日、丑松はたゞ熱心な青年教師として、飯山の町の人に知られて居るのみで、実際穢多である、新平民であるといふことは、誰一人として知るものが無かつ
たのである。
『では、いつ引越していらつしやいますか。』
 と声をかけて、入つて来たのは蓮華寺の住職の匹偶(つれあひ)。年の頃五
 と口の中で唱へて、奥様は別に深く掘つて聞かうともしなかつた。       (二)
 蓮華寺を出たのは五時であつた。学校の日課を終ると、直ぐ其足で出掛けたので、丑松はまだ勤務(つとめ)の儘の服装(みなり)で居る。白墨と塵埃(ほこり)とで汚れた着古しの洋
服、書物やら手帳やらの風呂敷包を小脇に抱へて、それに下駄穿(げたばき)、腰弁当。多くの労働者が人中で感ずるやうな羞恥(はぢ)――そんな思を胸に浮べ乍ら、鷹匠(たかしや
う)町の下宿の方へ帰つて行つた。町々の軒は秋雨あがりの後の夕日に輝いて、人々が濡れた道路に群は不思議さうに対手の顔を眺めた。
『明後日引越すのは其様(そんな)に可笑(をかし)いでせうか。』丑松の眼は急に輝いたのである。
『あれ――でも明後日は二十八日ぢやありませんか。別に可笑いといふことは御座(ござい)ませんがね、私はまた月が変つてから来(いら)つしやるかと思ひましてサ。』
『むゝ、これはおほきに左様(さう)でしたなあ。実は私も急に引越しを思ひ立つたものですから。』
 と何気なく言消して、丑松は故意(わざ)と話頭(はなし)を変へて了(しま)つた。下宿の出来事は烈しく胸の中を騒がせる。それを聞かれたり、話したりすることは、何となく心に恐しい
。何か穢多に関したことになると、毎時(いつ)もそれを避けるやうにするのが是男の癖である。つて居た。中には立ちとゞまつ十前後。茶色小紋の羽織を着て、痩せた白い手に珠数(ずゝ)を持ち乍(なが)ら、丑松の前に立つた。土

地の習慣(ならはし)から『奥様』と尊敬(あが)められて居る斯(こ)の有髪(うはつ)の尼は、昔者として多少教育もあり、都会(みやこ)の生活も万更(まんざら)知らないでも無いらしい口
の利き振であつた。世話好きな性質を額にあらはして、微な声で口癖のやうに念仏して、対手(あひて)の返事を待つて居る様子。
 其時、丑松も考へた。明日(あす)にも、今夜にも、と言ひたい場合ではあるが、さて差当つて引越しするだけの金が無かつた。実際持合せは四十銭しかなかつた。四十銭で引越し
の出来よう筈も無い。今の下宿の払ひもしなければならぬ。月給は明後日(あさつて)でなければ渡らないとすると、否(いや)でも応でも其迄待つより外はなかつた。
『斯うしませう、明後日の午後(ひるすぎ)といふことにしませう。』
『明後日?』と奥様
『なむあみだぶ。』

372 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:05:49.01 ID:ulogFmWM0
今の下宿には斯(か)ういふ事が起つた。半月程前、一人の男を供に連れて、下高井の地方から出て来た大日向(おほひなた)といふ大尽(だいじん)、飯山病院へ入院の為とあつて
、暫時(しばらく)腰掛に泊つて居たことがある。入院は間もなくであつた。もとより内証はよし、病室は第一等、看護婦の肩に懸つて
長い廊下を往つたり来たりするうちには、自然(おのづ)と豪奢(がうしや)が人の目にもついて、誰が嫉妬(しつと)で噂(うはさ)するともなく、『彼(あれ)は穢多(ゑた)だ』といふことになつた。
忽ち多くの病室へ伝(つたは)つて、患者は総立(そうだち)。『放逐して了(しま)へ、今直ぐ、それが出来ないとあらば吾儕(われ/\)挙(こぞ)つて御免を蒙る』と腕捲(うでまく)
りして院長を脅(おびやか)すといふ騒動。いかに金尽(かねづく)でも、この人種の偏執(へんしふ)には勝たれない。ある日の暮、籠に乗せられて、夕闇の空に紛れて病院を出た。籠は其儘
(そのまゝ)もとの下宿へ舁(かつ)ぎ込まれて、院長は毎日のやうに来て診察する。さあ今度は下宿のものが承知しない。丁度丑松が一日の勤務(つとめ)を終つて、疲れて宿へ帰つた時は
、一同『主婦(かみさん)を出せ』と喚(わめ)き立てるところ。『不浄だ、不浄だ』の罵詈(ばり)は無遠慮な客の口唇(くちびる)を衝(つ)いて出た。『不浄だとは何だ』と
丑松は心に憤つて、蔭ながらあの大日向の不幸(ふしあはせ)を憐んだり、道理(いはれ)のないこの非人扱ひを慨(なげ)いたりして、穢多の種族の悲惨な運命を思ひつゞけた――丑松
もまた穢多なのである。
 見たところ丑松は純粋な北部の信州人――佐久小県(さくちひさがた)あたりの岩石の間に成長
した壮年(わかもの)の一人とは誰の目にも受取れる。正教員とい
ふ格につけられて、学力優等の卒業生として、長野の師範校を出たのは丁度二十二の年齢(とし)の春。社会(よのなか)へ突出される、直に丑松はこの飯山
へ来た。それから足掛三年目の今日、丑松はたゞ熱心な青年教師として、飯山の町の人に知られて居るのみで、実際穢多である、新平民であるといふことは、誰一人として知るものが無かつ
たのである。
『では、いつ引越していらつしやいますか。』
 と声をかけて、入つて来たのは蓮華寺の住職の匹偶(つれあひ)。年の頃五
 と口の中で唱へて、奥様は別に深く掘つて聞かうともしなかつた。       (二)
 蓮華寺を出たのは五時であつた。学校の日課を終ると、直ぐ其足で出掛けたので、丑松はまだ勤務(つとめ)の儘の服装(みなり)で居る。白墨と塵埃(ほこり)とで汚れた着古しの洋
服、書物やら手帳やらの風呂敷包を小脇に抱へて、それに下駄穿(げたばき)、腰弁当。多くの労働者が人中で感ずるやうな羞恥(はぢ)――そんな思を胸に浮べ乍ら、鷹匠(たかしや
う)町の下宿の方へ帰つて行つた。町々の軒は秋雨あがりの後の夕日に輝いて、人々が濡れた道路に群は不思議さうに対手の顔を眺めた。
『明後日引越すのは其様(そんな)に可笑(をかし)いでせうか。』丑松の眼は急に輝いたのである。
『あれ――でも明後日は二十八日ぢやありませんか。別に可笑いといふことは御座(ござい)ませんがね、私はまた月が変つてから来(いら)つしやるかと思ひましてサ。』
『むゝ、これはおほきに左様(さう)でしたなあ。実は私も急に引越しを思ひ立つたものですから。』
 と何気なく言消して、丑松は故意(わざ)と話頭(はなし)を変へて了(しま)つた。下宿の出来事は烈しく胸の中を騒がせる。それを聞かれたり、話したりすることは、何となく心に恐しい
。何か穢多に関したことになると、毎時(いつ)もそれを避けるやうにするのが是男の癖である。つて居た。中には立ちとゞまつ十前後。茶色小紋の羽織を着て、痩せた白い手に珠数(ずゝ)を持ち乍(なが)ら、丑松の前に立つた。土

地の習慣(ならはし)から『奥様』と尊敬(あが)められて居る斯(こ)の有髪(うはつ)の尼は、昔者として多少教育もあり、都会(みやこ)の生活も万更(まんざら)知らないでも無いらしい口
の利き振であつた。世話好きな性質を額にあらはして、微な声で口癖のやうに念仏して、対手(あひて)の返事を待つて居る様子。
 其時、丑松も考へた。明日(あす)にも、今夜にも、と言ひたい場合ではあるが、さて差当つて引越しするだけの金が無かつた。実際持合せは四十銭しかなかつた。四十銭で引越し
の出来よう筈も無い。今の下宿の払ひもしなければならぬ。月給は明後日(あさつて)でなければ渡らないとすると、否(いや)でも応でも其迄待つより外はなかつた。
『斯うしませう、明後日の午後(ひるすぎ)といふことにしませう。』
『明後日?』と奥様
『なむあみだぶ。』

373 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:07:26.83 ID:pl8uGQJY0
今の下宿には斯(か)ういふ事が起つた。半月程前、一人の男を供に連れて、下高井の地方から出て来た大日向(おほひなた)といふ大尽(だいじん)、飯山病院へ入院の為とあつて
、暫時(しばらく)腰掛に泊つて居たことがある。入院は間もなくであつた。もとより内証はよし、病室は第一等、看護婦の肩に懸つて
長い廊下を往つたり来たりするうちには、自然(おのづ)と豪奢(がうしや)が人の目にもついて、誰が嫉妬(しつと)で噂(うはさ)するともなく、『彼(あれ)は穢多(ゑた)だ』といふことになつた。
忽ち多くの病室へ伝(つたは)つて、患者は総立(そうだち)。『放逐して了(しま)へ、今直ぐ、それが出来ないとあらば吾儕(われ/\)挙(こぞ)つて御免を蒙る』と腕捲(うでまく)
りして院長を脅(おびやか)すといふ騒動。いかに金尽(かねづく)でも、この人種の偏執(へんしふ)には勝たれない。ある日の暮、籠に乗せられて、夕闇の空に紛れて病院を出た。籠は其儘
(そのまゝ)もとの下宿へ舁(かつ)ぎ込まれて、院長は毎日のやうに来て診察する。さあ今度は下宿のものが承知しない。丁度丑松が一日の勤務(つとめ)を終つて、疲れて宿へ帰つた時は
、一同『主婦(かみさん)を出せ』と喚(わめ)き立てるところ。『不浄だ、不浄だ』の罵詈(ばり)は無遠慮な客の口唇(くちびる)を衝(つ)いて出た。『不浄だとは何だ』と
丑松は心に憤つて、蔭ながらあの大日向の不幸(ふしあはせ)を憐んだり、道理(いはれ)のないこの非人扱ひを慨(なげ)いたりして、穢多の種族の悲惨な運命を思ひつゞけた――丑松
もまた穢多なのである。
 見たところ丑松は純粋な北部の信州人――佐久小県(さくちひさがた)あたりの岩石の間に成長
した壮年(わかもの)の一人とは誰の目にも受取れる。正教員とい
ふ格につけられて、学力優等の卒業生として、長野の師範校を出たのは丁度二十二の年齢(とし)の春。社会(よのなか)へ突出される、直に丑松はこの飯山
へ来た。それから足掛三年目の今日、丑松はたゞ熱心な青年教師として、飯山の町の人に知られて居るのみで、実際穢多である、新平民であるといふことは、誰一人として知るものが無かつ
たのである。
『では、いつ引越していらつしやいますか。』
 と声をかけて、入つて来たのは蓮華寺の住職の匹偶(つれあひ)。年の頃五
 と口の中で唱へて、奥様は別に深く掘つて聞かうともしなかつた。       (二)
 蓮華寺を出たのは五時であつた。学校の日課を終ると、直ぐ其足で出掛けたので、丑松はまだ勤務(つとめ)の儘の服装(みなり)で居る。白墨と塵埃(ほこり)とで汚れた着古しの洋
服、書物やら手帳やらの風呂敷包を小脇に抱へて、それに下駄穿(げたばき)、腰弁当。多くの労働者が人中で感ずるやうな羞恥(はぢ)――そんな思を胸に浮べ乍ら、鷹匠(たかしや
う)町の下宿の方へ帰つて行つた。町々の軒は秋雨あがりの後の夕日に輝いて、人々が濡れた道路に群は不思議さうに対手の顔を眺めた。
『明後日引越すのは其様(そんな)に可笑(をかし)いでせうか。』丑松の眼は急に輝いたのである。
『あれ――でも明後日は二十八日ぢやありませんか。別に可笑いといふことは御座(ござい)ませんがね、私はまた月が変つてから来(いら)つしやるかと思ひましてサ。』
『むゝ、これはおほきに左様(さう)でしたなあ。実は私も急に引越しを思ひ立つたものですから。』
 と何気なく言消して、丑松は故意(わざ)と話頭(はなし)を変へて了(しま)つた。下宿の出来事は烈しく胸の中を騒がせる。それを聞かれたり、話したりすることは、何となく心に恐しい
。何か穢多に関したことになると、毎時(いつ)もそれを避けるやうにするのが是男の癖である。つて居た。中には立ちとゞまつ十前後。茶色小紋の羽織を着て、痩せた白い手に珠数(ずゝ)を持ち乍(なが)ら、丑松の前に立つた。土

地の習慣(ならはし)から『奥様』と尊敬(あが)められて居る斯(こ)の有髪(うはつ)の尼は、昔者として多少教育もあり、都会(みやこ)の生活も万更(まんざら)知らないでも無いらしい口
の利き振であつた。世話好きな性質を額にあらはして、微な声で口癖のやうに念仏して、対手(あひて)の返事を待つて居る様子。
 其時、丑松も考へた。明日(あす)にも、今夜にも、と言ひたい場合ではあるが、さて差当つて引越しするだけの金が無かつた。実際持合せは四十銭しかなかつた。四十銭で引越し
の出来よう筈も無い。今の下宿の払ひもしなければならぬ。月給は明後日(あさつて)でなければ渡らないとすると、否(いや)でも応でも其迄待つより外はなかつた。
『斯うしませう、明後日の午後(ひるすぎ)といふことにしませう。』
『明後日?』と奥様
『なむあみだぶ。』

374 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:18:51.66 ID:pl8uGQJY0
名の念と、検束に慣れたる勉強力とを持ちて、忽(たちま)ちこの欧羅巴(ヨオロツパ)の新大都の中央に立てり。何等(なんら)の光彩ぞ、我目を射むとするは。何等の色沢ぞ、我心を迷はさむとする






。菩提樹下と訳するときは、幽静なる境(さかひ)なるべく思はるれど、この大道髪(かみ)の如きウンテル、デン、リンデンに来て両辺なる石だゝみの人道を行く隊々(くみ/″\)の士女を見よ。胸張





聳(そび)えたる士
官の、まだ維廉(ヰルヘルム)一世の街に臨める※(「窗/心」、第3水準1-89-54)(まど)に倚(よ)り玉ふ頃なりければ、様々の色に飾り成したる礼装をなしたる、妍(かほよ)き

少女(をとめ)の巴里(パ

リー)まねびの粧(よそほひ)したる、彼も此も目を驚かさぬはなきに、車道の土瀝青(チヤン)の上を音もせで走るいろ/\の馬車、雲に聳ゆる楼閣の少しとぎれたる処(ところ)には

、晴れたる空に夕

立の音を聞かせて漲(みなぎ)り落つる噴井(ふきゐ)の水、遠く望めばブランデンブルク門を隔てゝ緑樹枝をさし交(か)はしたる中より、半天に浮び出でたる凱旋塔の神女の像、

この許多(あまた)の


景物目睫(もくせふ)の間に聚(あつ)まりたれば、始めてこゝに来(こ)しものゝ応接に遑(いとま)なきも宜(うべ)なり。されど我胸には縦(たと)ひいかなる境に遊びても、あだなる美

観に心をば動さじの
誓ありて、つねに我を襲ふ外物を遮(さへぎ)り留めたりき。
 余が鈴索(すゞなは)を引き鳴らして謁(えつ)を通じ、おほやけの紹介状を出だして東来の意を告げし普魯西(プロシヤ)の官員は、皆快く余を迎へ、公使館よりの手つゞきだに事なく
済みたらましか

ば、何事にもあれ、教へもし伝へもせむと約しき。喜ばしきは、わが故里(ふるさと)にて、独逸、仏蘭西(フランス)の語を学びしことなり。彼等は始めて余を見しとき、いづくにていつの
間にかくは学び


得つると問はぬことなかりき。
 さて官事の暇(いとま)あるごとに、かねておほやけの許をば得たりければ、ところの大学に入りて政治学を修めむと、名を簿冊(ぼさつ)に記させつ。
 ひと月ふた月と過す程に、おほやけの打合せも済みて、取調も次第に捗(はかど)り行けば、急ぐことをば報告書に作りて送り、さらぬをば写し留めて、つひには幾巻(いくまき)をかなし


けむ。大学

375 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:21:37.93 ID:pl8uGQJY0
攻むるに似たり。余は我身の今
の世に雄飛すべき政治家になるにも宜(よろ)しからず、また善く法典を諳(そらん)じて獄を断ずる法律家になるにもふさはしからざるを悟りたりと思ひぬ。
 余は私(ひそか)に思ふやう、我母は余を活(い)きたる辞書となさんとし、我官長は余を活きたる法律となさんとやしけん。辞書たらむは猶ほ堪ふべけれど、法律たらんは忍


ぶべからず。                                                                                            今ま
では瑣々(さゝ)たる問題にも、極めて丁寧(ていねい)にいらへしつる余が、この頃より官長に寄する書には連(しき)りに法制の細目に拘(かゝづら)ふべきにあらぬを論じて、一
                                                                                                 

たび法の精神をだに得たらんには、紛々たる万事は破竹の如くなるべしなどゝ広言しつ。又大学にては法科の講筵を余所(よそ)にして、歴史文学に心を寄せ、漸く蔗(しよ)を

嚼(か)む境に入りぬ。
 官長はもと心のまゝに用ゐるべき器械をこそ作ら

んとしたりけめ。独立の思想を懐(いだ)きて、人なみならぬ面(おも)もちしたる男をいかでか喜ぶべき。危きは余が当時の地位なりけり。さ
れどこれのみにては、なほ我               地位を覆(くつが)へすに足らざりけんを、日比(ひごろ)伯
                                                           林(ベルリン)の留学生の中(うち)にて、或る勢力ある一群(ひとむれ)と余との間に、面白か



らぬ関係ありて、彼人々は余を猜疑(さいぎ)し、又遂(つひ)に余を讒誣(ざんぶ)するに至りぬ。されどこれとても其故なくてやは。
 彼人々は余が倶(とも)に麦酒(ビ                        イル)の杯をも挙げず、球
攻むるに似たり。余は我身の今
の世に雄飛すべき政治家になるにも宜(よろ)しからず                            、また善く法典を諳(そらん)じて獄を断ずる法律家になるにもふさはしからざるを悟りたりと思ひぬ。
 余は私(ひそか)に思ふやう、我母は余を活(い)きたる辞書と
さんとし、我官長は余を活きたる法律となさんとやしけん。辞書たらむは猶ほ堪ふべけれど、法律たらんは忍


ぶべからず。今ま
では瑣々(さゝ)たる問題にも、極めて丁寧(ていねい)にいらへしつる余が、この頃より官長に寄する書には連(しき)りに法制の細目に拘(かゝづら)ふべきにあらぬを論じて、一


たび法の精神をだに得たらんには、紛々たる万事は破竹の如くなるべしなどゝ広言しつ。又大学にては法科の講筵を余所(よそ)にして、歴史文学に心を寄せ、漸く蔗(しよ)を

嚼(か)む境に入りぬ。
 官長はもと心のまゝに用ゐるべき器械をこそ作らんとしたりけめ。独立の思想を懐(いだ)きて、人なみならぬ面(おも)もちしたる男をいかでか喜ぶべき。危きは余が当時の地位なりけり。さ
れどこれのみにては、なほ我地位を覆(くつが)へすに足らざりけんを、日比(ひごろ)伯林(ベルリン)の留学生の中(うち)にて、或る勢力ある一群(ひとむれ)と余との間に、面白か

                         
                                                      
らぬ関係ありて、彼人々は余を猜疑(さいぎ)し、又遂(つひ)に余を讒誣(ざんぶ)するに至りぬ。されどこれとても其故なくてやは。
 彼人々は余が倶(とも)に麦酒(ビイル)の杯をも挙げず、球突き                   の棒(キユウ)をも取らぬを、かたくななる心と慾を制する力とに帰し

て、且(かつ)は嘲(あざけ)り且は嫉(ね


た)みたりけん。されどこは余を知らねばなり。嗚呼、此故よしは、我                      身だに知らざりしを、怎(いか)でか人に知らるべき。わが心はかの合歓(ねむ)といふ木の葉に似て、物触(さや)れば縮
た)みたりけん。されどこは余を知らねばなり。嗚呼、此故よしは、我身だに知らざりしを、怎(いか)でか人に知らるべき。わが心はかの合歓(ねむ)といふ木の葉に似て、物触(さや)れば縮

376 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:22:04.74 ID:pl8uGQJY0
今の下宿には斯(か)ういふ事が起つた。半月程前、一人の男を供に連れて、下高井の地方から出て来た大日向(おほひなた)といふ大尽(だいじん)、飯山病院へ入院の為とあつて
、暫時(しばらく)腰掛に泊つて居たことがある。入院は間もなくであつた。もとより内証はよし、病室は第一等、看護婦の肩に懸つて
長い廊下を往つたり来たりするうちには、自然(おのづ)と豪奢(がうしや)が人の目にもついて、誰が嫉妬(しつと)で噂(うはさ)するともなく、『彼(あれ)は穢多(ゑた)だ』といふことになつた。
忽ち多くの病室へ伝(つたは)つて、患者は総立(そうだち)。『放逐して了(しま)へ、今直ぐ、それが出来ないとあらば吾儕(われ/\)挙(こぞ)つて御免を蒙る』と腕捲(うでまく)
りして院長を脅(おびやか)すといふ騒動。いかに金尽(かねづく)でも、この人種の偏執(へんしふ)には勝たれない。ある日の暮、籠に乗せられて、夕闇の空に紛れて病院を出た。籠は其儘
(そのまゝ)もとの下宿へ舁(かつ)ぎ込まれて、院長は毎日のやうに来て診察する。さあ今度は下宿のものが承知しない。丁度丑松が一日の勤務(つとめ)を終つて、疲れて宿へ帰つた時は
、一同『主婦(かみさん)を出せ』と喚(わめ)き立てるところ。『不浄だ、不浄だ』の罵詈(ばり)は無遠慮な客の口唇(くちびる)を衝(つ)いて出た。『不浄だとは何だ』と
丑松は心に憤つて、蔭ながらあの大日向の不幸(ふしあはせ)を憐んだり、道理(いはれ)のないこの非人扱ひを慨(なげ)いたりして、穢多の種族の悲惨な運命を思ひつゞけた――丑松
もまた穢多なのである。
 見たところ丑松は純粋な北部の信州人――佐久小県(さくちひさがた)あたりの岩石の間に成長
した壮年(わかもの)の一人とは誰の目にも受取れる。正教員とい
ふ格につけられて、学力優等の卒業生として、長野の師範校を出たのは丁度二十二の年齢(とし)の春。社会(よのなか)へ突出される、直に丑松はこの飯山
へ来た。それから足掛三年目の今日、丑松はたゞ熱心な青年教師として、飯山の町の人に知られて居るのみで、実際穢多である、新平民であるといふことは、誰一人として知るものが無かつ
たのである。
『では、いつ引越していらつしやいますか。』
 と声をかけて、入つて来たのは蓮華寺の住職の匹偶(つれあひ)。年の頃五
 と口の中で唱へて、奥様は別に深く掘つて聞かうともしなかつた。       (二)
 蓮華寺を出たのは五時であつた。学校の日課を終ると、直ぐ其足で出掛けたので、丑松はまだ勤務(つとめ)の儘の服装(みなり)で居る。白墨と塵埃(ほこり)とで汚れた着古しの洋
服、書物やら手帳やらの風呂敷包を小脇に抱へて、それに下駄穿(げたばき)、腰弁当。多くの労働者が人中で感ずるやうな羞恥(はぢ)――そんな思を胸に浮べ乍ら、鷹匠(たかしや
う)町の下宿の方へ帰つて行つた。町々の軒は秋雨あがりの後の夕日に輝いて、人々が濡れた道路に群は不思議さうに対手の顔を眺めた。
『明後日引越すのは其様(そんな)に可笑(をかし)いでせうか。』丑松の眼は急に輝いたのである。
『あれ――でも明後日は二十八日ぢやありませんか。別に可笑いといふことは御座(ござい)ませんがね、私はまた月が変つてから来(いら)つしやるかと思ひましてサ。』
『むゝ、これはおほきに左様(さう)でしたなあ。実は私も急に引越しを思ひ立つたものですから。』
 と何気なく言消して、丑松は故意(わざ)と話頭(はなし)を変へて了(しま)つた。下宿の出来事は烈しく胸の中を騒がせる。それを聞かれたり、話したりすることは、何となく心に恐しい
。何か穢多に関したことになると、毎時(いつ)もそれを避けるやうにするのが是男の癖である。つて居た。中には立ちとゞまつ十前後。茶色小紋の羽織を着て、痩せた白い手に珠数(ずゝ)を持ち乍(なが)ら、丑松の前に立つた。土

地の習慣(ならはし)から『奥様』と尊敬(あが)められて居る斯(こ)の有髪(うはつ)の尼は、昔者として多少教育もあり、都会(みやこ)の生活も万更(まんざら)知らないでも無いらしい口
の利き振であつた。世話好きな性質を額にあらはして、微な声で口癖のやうに念仏して、対手(あひて)の返事を待つて居る様子。
 其時、丑松も考へた。明日(あす)にも、今夜にも、と言ひたい場合ではあるが、さて差当つて引越しするだけの金が無かつた。実際持合せは四十銭しかなかつた。四十銭で引越し
の出来よう筈も無い。今の下宿の払ひもしなければならぬ。月給は明後日(あさつて)でなければ渡らないとすると、否(いや)でも応でも其迄待つより外はなかつた。
『斯うしませう、明後日の午後(ひるすぎ)といふことにしませう。』
『明後日?』と奥様
『なむあみだぶ。』

377 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:28:59.82 ID:9TXiXK2M0
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂 👀

378 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:29:25.72 ID:9TXiXK2M0
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂
菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂菅野美穂 👀

379 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:33:38.46 ID:9TXiXK2M0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify

380 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:34:06.29 ID:9TXiXK2M0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify

381 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:37:06.53 ID:SO4TyCxW0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify

382 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:39:03.88 ID:SO4TyCxW0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

383 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:39:57.25 ID:SO4TyCxW0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

384 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:43:12.11 ID:SO4TyCxW0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

385 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:48:28.16 ID:OdvrV0MZ0
DeutsMitgliedslandes eingegangen. Ich verfolge die Prasentation der ausfuhrlichen Refo
rmrechnung in Gri In der Diskussion vor der Abstimmung erklart derinanzminister einen Zweck zu sagen, d
ass "Sie irgendetwasynapsegssache macheHaben Sie den Wortalkoholismus und die Glucksspiel-Abhangigkeit nicht gehort? Das ist die Abhangigkeit, die t
ief dem Vergnugen durch die dopamine Sekretion angehaftet hat. Wenn ich der Zeit gewidmet werde und ein Hobby, ein Spiel spielend, dopamine verborgen wird. Dopamin
e wird in der Mitte der Tat verborgen, die sich bereitwillig leistet. Jedoch wird die Sekretion in solcher Szene erfahren, dass dort der Fall ist, dass ich nicht angehalten werde.
Haben Sie den Wortalkoholismus und die Glucksspiel-Abhangigkeit nicht gehort? Das ist die Abhangigkeit, die tief dem Vergnugen durch die dopamine Sekretion angehaftet hat. W
enn ich der Zeit gewidmet werde und ein Hobby, ein Spiel spielend, dopamine verborgen wird. Dopamine wird in der Mitte der Tat verborgen, die sich bereitwillig leistet. J
edoch wird die Sekretion in solcher Szene erfahren, dass dort der Fall ist, dass ich nicht angehalten werde.
Wenn ich eine Lieblin
elobt ist, und dopamine wird in den menschlichen Beziehungen verborgen. Der Mensch hat einen Wunsch zu wollen, dass eine andere Person es potenziell anerkennt
, und das wird entsprochen, und dopamine wird manchmal verborgen und kann sich in die Zufriedenheit und ein bequemes Gefuhl ganz versenken.

Als ich Uberlegenheit uber eine andere Person gehalten habe, wird das verborgen. Die Testkerbe war besser als diese Person, die jahrliches Einkommen besser h
at als diese Person und die Szene ist, wo dopamine nur verborgen wird, nachdem eine andere Person besteht.
Wenn ich Wissbegierde befriedigels Zeit und das schwierig
Wenn ich Wissbegierde befriedige

Als Zeit und das schwierige Problem, das Bohnenkenntnisse erfahren hat, gelost wurden, werde ich verborgen. Eine Person mit viel Menge der Sekretion von dopamine interessiert sich fur ve
rschiedene Dinge und neigt dazu, eine Reise oder Abenteuer zu mogen.


Ich kann Struktur, die Szene verstehen, w
Ich kann Struktur, die Szene verstehen, wo dopamine verborgen wird, wenn ich dieses Buch gelesen hab
e. Es ist dieses Ding, wenn ich fahig werde, Gefuhle oder eine Motivation durch sich zu kontrollieren, verstanden.

Es ist ein Pflugynapse
Als, als es von einer anderen Person anerkannt wurde, es im Uberwiegen gegangen ist als eine andere Person
Ich setze sozialen Status ein, der vom Chef gelobt ist, und dopamine wird in den menschlichen Beziehungen verborgen. Der Mensch hat einen Wunsch zu wollen, dass eine ander
e Person es potenziell anerkennt, und das wird entsprochen, und
dopamine wird manchmal verborgen und kann sich in die Zufriedenheit und ein bequemes Gefuhl ganz versenken.
Als ich Uberlegenheit uber eine andere Person gehalten habe, wird das verborgen. Die Testkerbe war besser als diese Person, die jahrliches Einkommen besser hat als diese Person und die
Szene ist, wo dopamine nur verborgen wird, nachdem eine andere Person besteht.
enn ich Wissbegierde befriedige

Als Zeit und das schwierige Problem, das Bohnenkenntnisse erfahren hat, gelost wurden, werde ich verborgen. Eine Person mit viel Menge der Sekretion von dopamine interessiert sich fur
verschiedene Dinge und neigt dazu, eine Reise oder Abenteuer zu mogen.



Ich werde dopamine durch sich kontrollieren
Als, als es von einer anderen Person anerkannt wurde, es im Uberwiegen gegangen ist als eine andere Person

386 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:51:35.11 ID:F1VF8a5I0
DeutsMitgliedslandes eingegangen. Ich verfolge die Prasentation der ausfuhrlichen Refo
rmrechnung in Gri In der Diskussion vor der Abstimmung erklart derinanzminister einen Zweck zu sagen, d
ass "Sie irgendetwasynapsegssache macheHaben Sie den Wortalkoholismus und die Glucksspiel-Abhangigkeit nicht gehort? Das ist die Abhangigkeit, die t
ief dem Vergnugen durch die dopamine Sekretion angehaftet hat. Wenn ich der Zeit gewidmet werde und ein Hobby, ein Spiel spielend, dopamine verborgen wird. Dopamin
e wird in der Mitte der Tat verborgen, die sich bereitwillig leistet. Jedoch wird die Sekretion in solcher Szene erfahren, dass dort der Fall ist, dass ich nicht angehalten werde.
Haben Sie den Wortalkoholismus und die Glucksspiel-Abhangigkeit nicht gehort? Das ist die Abhangigkeit, die tief dem Vergnugen durch die dopamine Sekretion angehaftet hat. W
enn ich der Zeit gewidmet werde und ein Hobby, ein Spiel spielend, dopamine verborgen wird. Dopamine wird in der Mitte der Tat verborgen, die sich bereitwillig leistet. J
edoch wird die Sekretion in solcher Szene erfahren, dass dort der Fall ist, dass ich nicht angehalten werde.
Wenn ich eine Lieblin
elobt ist, und dopamine wird in den menschlichen Beziehungen verborgen. Der Mensch hat einen Wunsch zu wollen, dass eine andere Person es potenziell anerkennt
, und das wird entsprochen, und dopamine wird manchmal verborgen und kann sich in die Zufriedenheit und ein bequemes Gefuhl ganz versenken.

Als ich Uberlegenheit uber eine andere Person gehalten habe, wird das verborgen. Die Testkerbe war besser als diese Person, die jahrliches Einkommen besser h
at als diese Person und die Szene ist, wo dopamine nur verborgen wird, nachdem eine andere Person besteht.
Wenn ich Wissbegierde befriedigels Zeit und das schwierig
Wenn ich Wissbegierde befriedige

Als Zeit und das schwierige Problem, das Bohnenkenntnisse erfahren hat, gelost wurden, werde ich verborgen. Eine Person mit viel Menge der Sekretion von dopamine interessiert sich fur ve
rschiedene Dinge und neigt dazu, eine Reise oder Abenteuer zu mogen.


Ich kann Struktur, die Szene verstehen, w
Ich kann Struktur, die Szene verstehen, wo dopamine verborgen wird, wenn ich dieses Buch gelesen hab
e. Es ist dieses Ding, wenn ich fahig werde, Gefuhle oder eine Motivation durch sich zu kontrollieren, verstanden.

Es ist ein Pflugynapse
Als, als es von einer anderen Person anerkannt wurde, es im Uberwiegen gegangen ist als eine andere Person
Ich setze sozialen Status ein, der vom Chef gelobt ist, und dopamine wird in den menschlichen Beziehungen verborgen. Der Mensch hat einen Wunsch zu wollen, dass eine ander
e Person es potenziell anerkennt, und das wird entsprochen, und
dopamine wird manchmal verborgen und kann sich in die Zufriedenheit und ein bequemes Gefuhl ganz versenken.
Als ich Uberlegenheit uber eine andere Person gehalten habe, wird das verborgen. Die Testkerbe war besser als diese Person, die jahrliches Einkommen besser hat als diese Person und die
Szene ist, wo dopamine nur verborgen wird, nachdem eine andere Person besteht.
enn ich Wissbegierde befriedige

Als Zeit und das schwierige Problem, das Bohnenkenntnisse erfahren hat, gelost wurden, werde ich verborgen. Eine Person mit viel Menge der Sekretion von dopamine interessiert sich fur
verschiedene Dinge und neigt dazu, eine Reise oder Abenteuer zu mogen.



Ich werde dopamine durch sich kontrollieren
Als, als es von einer anderen Person anerkannt wurde, es im Uberwiegen gegangen ist als eine andere Person

387 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:52:04.48 ID:F1VF8a5I0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

388 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:53:06.22 ID:F1VF8a5I0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

389 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:54:41.34 ID:F1VF8a5I0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

390 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:58:56.17 ID:Eaort3Ts0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

391 :名無しさん@お腹いっぱい。:2015/03/10(火) 11:59:31.53 ID:Eaort3Ts0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

392 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:00:18.55 ID:Eaort3Ts0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

393 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:00:45.02 ID:Eaort3Ts0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

394 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:01:21.53 ID:cwDjYbYc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

395 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:02:03.53 ID:cwDjYbYc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

396 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:02:41.37 ID:cwDjYbYc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

397 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:03:07.08 ID:cwDjYbYc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

398 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:03:34.22 ID:cwDjYbYc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

399 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:04:17.44 ID:SO4TyCxW0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

400 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:05:10.24 ID:aosQSB3R0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

401 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:05:36.08 ID:aosQSB3R0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

402 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:06:02.04 ID:aosQSB3R0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

403 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:06:29.84 ID:aosQSB3R0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

404 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:07:38.92 ID:T7wUWS080
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

405 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:08:05.46 ID:T7wUWS080
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

406 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:08:31.15 ID:T7wUWS080
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

407 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:08:56.79 ID:T7wUWS080
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

408 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:10:20.93 ID:W0fAy0Xd0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

409 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:10:48.30 ID:W0fAy0Xd0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

410 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:11:09.39 ID:kRyZp8Si0
きくよおばちゃんスーパー発狂タイム

411 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:11:25.77 ID:W0fAy0Xd0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

412 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:11:54.80 ID:W0fAy0Xd0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

413 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:17:20.64 ID:E5F8ekSc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

414 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:17:46.69 ID:E5F8ekSc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

415 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:18:12.58 ID:E5F8ekSc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

416 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:18:38.56 ID:E5F8ekSc0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

417 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:20:27.67 ID:4JI/rlDI0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

418 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:20:54.67 ID:4JI/rlDI0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

419 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:21:32.90 ID:4JI/rlDI0
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

420 :名無しさん@お腹いっぱい。:2015/03/10(火) 12:22:16.52 ID:o2+sCt610
Similar to the last example, permitting any type of outbound VPN session establishment can lead to data leaks. Whi
le I will focus on Secure Shell (SSH) in this example, this problem is just as applicable to permitting outbound S
SL or IPSec transmissions. All of these VPN solutions can typically be tunn
eled through any TCP po                                    rt. This can lead to additional access being provided thro
ugh a network perimeter without the knowledge of the local IT group.

SSH is a multi-platform VPN solution. While it is typically used as a secure replac
ement for clear text tools such as Telnet and FTP, for many years it has also had the abilit

y to tunnel any TCP base           d application. As of the beginning of 2006, support for tunneling UDP
, ICMP as well as other IP transports was added in as well.
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HTTP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Again, TCP/443 is usually a good choice, as this port is usually not scrutinized.


SSH is not an evil tool p            er se'. In the hands of a system or security administrator it can be an invaluable tool t
hat helps to augment security as well as simplify many daily tasks. The problem      with SSH is that in the hands o
f a malicious user it can easily be used for breech corporate policy. This can include circumventing content checking as w
ell as exposing intern    al services to outside atta       ck. The problems revolve around SSH's ability to tunnel other I
P applications. These can be forward tunnels (used to forward application informati   on up to the server) or rever
such a way that          it will go undetected. Figure 3 shows a possible use for the forward tunnel capability of SSH which woul
d permit this user to circumvent your content checks.To start    , the use r needs access to an external system running both an SSH server as
well as an HTTP proxy server. Both of these services can easily be depl        top with it co
nfigured to create a forward tunnel to the proxy server. Once they logon via SSH, its now just a simply matter of confi
guring the browser           to use a proxy server located at the loopback address. When the user browses the Web, the connection req
uests are sent through the SSH session to the HT TP proxy located on the Internet. As content passes the corporate perimeter, it is e
ncrypted as part of the SSH session. While you can attempt to thwart this activity by blocking outbound access to SSH's well known
port (TCP/22), the user can easily configure SSH to run over any TCP port. Ag   ain, TCP/443 is  
SSH's reverse tunnel capa           bility can      be even more dangerous. This is shown in Figure 4. In this example when the user runs the SS
H client on the corporate desktop they request a reverse tunnel and specify which port the SSH server should open up. Any connecti
on requests sent to the S                                    SH on that port will be forwarded to the corporate desktop. The user then tells the SSH cl
ient which internal system should receive these data requests. and specify which port the SSH server should open up. Any connecti
on requests sent to the S                   and specify 

516 KB
■ このスレッドは過去ログ倉庫に格納されています

★スマホ版★ 掲示板に戻る 全部 前100 次100 最新50

read.cgi ver 05.04.07 2022/05/23 Walang Kapalit ★
FOX ★