[tintub]

Here at work we are unfortunate to run Windows 2000/XP on all our machines, and all the servers etc. are AFAIK Windows 2000 server. Whatever - its all MS stuff.

I want the firewall opened so that I can SSH out to other boxes. Firstly, because I want to use files that are on other boxes and be able to edit them etc. Secondly, because I would like to use IRC (for work purposes - #php etc), and they don't want to open that port here either. He offered to open the SSH port for 30-60 mins, but that's not really much use to me.

Is it really that dangerous to keep a port open. IMO it is pretty lazy adminning just to say 'well we won't allow any ports to be opened and then nothing bad will happen'. It makes life harder for us developers if we haven't got IRC.

Are my Network Admins lazy or responsible?

[thunderous_funker]

There is a firewall between your workstation and the development machines?

Are you working from a remote location or something?

I would certainly not want a firewall between employee network and servers that host development projects. Sounds like a total nuisance to me.

Or are these servers the same as the ones hosting live sites?

I can understand them being anal about opening holes in the firewall. It's not something that admins like to do. I'm just questioning their network design that sounds like it creates more trouble than it's worth.

[tintub]

Originally posted by thunderous_funker:
There is a firewall between your workstation and the development machines?

Are you working from a remote location or something?

I would certainly not want a firewall between employee network and servers that host development projects. Sounds like a total nuisance to me.

Or are these servers the same as the ones hosting live sites?

I can understand them being anal about opening holes in the firewall. It's not something that admins like to do. I'm just questioning their network design that sounds like it creates more trouble than it's worth.

No - I want to SSH out into the wild world of the Internet. Obviously within our intranet I can go wherever I please (assuming I have privs). I mainly want to SSH into my own, personal, web server, which I can use IRC from and also which is running some code of mine that I am working on both for myself and for work. Otherwise, if they just opened the IRC port (6667?) here then I would be happy, as I can cope without getting at the code since I can get it after hours and email it to myself.

[thunderous_funker]

Originally posted by tintub:
No - I want to SSH out into the wild world of the Internet. Obviously within our intranet I can go wherever I please (assuming I have privs). I mainly want to SSH into my own, personal, web server, which I can use IRC from and also which is running some code of mine that I am working on both for myself and for work. Otherwise, if they just opened the IRC port (6667?) here then I would be happy, as I can cope without getting at the code since I can get it after hours and email it to myself.

I see. Well, they might be lazy, but it's not an uncommon policy. Admins don't like messing with firewalls for even short periods of time. I had a Cisco engineer who wanted access to something behind our firewall to assist with some troubleshooting. You can believe the hoops I had to jump through to get it approved--and I'm the admin!! Here, only the CTO can make that kind of override.

Sorry.

[RMXO]

here is a hint from an IT admin guy. be nice to IT ppl in your company. or better yet, be nice to certain IT person........

plus, if its agaisnt company policy to open ports then dont expect anyone to break that policy to make u happy......

[tintub]

Originally posted by RMXO:
here is a hint from an IT admin guy. be nice to IT ppl in your company. or better yet, be nice to certain IT person........

plus, if its agaisnt company policy to open ports then dont expect anyone to break that policy to make u happy......

We all get on. I don't think it is against company policy to open ports, it's the network admin's policy, since the 'company' don't have a clue.

But when you are sacrificing usefulness for security, where do you draw the line? With IRC, I can often find the solution to a problem in a much faster time than otherwise. Now what is the security issue with opening port 6667 (and doesn't it pale in insignificance when compared to the security issue of using Windows instead of a secured *nix?)

[macvillage.net]

I think it's just for liability. If they open it, and you do something stupid (not saying you will, or could.. but just saying if)... they would be so liable it wouldn't even be funny... since there was contact between you and them. A company not knowing, but attempting to block illegal activity is not totally immune, but ok...

I think nobody wants to take the liability. Just because there would be the "why didn't you ask more questions before opening the port?" type stuff to hear.

[RMXO]

Originally posted by macvillage.net:
I think it's just for liability. If they open it, and you do something stupid (not saying you will, or could.. but just saying if)... they would be so liable it wouldn't even be funny... since there was contact between you and them. A company not knowing, but attempting to block illegal activity is not totally immune, but ok...

I think nobody wants to take the liability. Just because there would be the "why didn't you ask more questions before opening the port?" type stuff to hear.

yeap. its about liability. his ass would be on the line if something went wrong. i have been known to do favors for friends but atleast i knew they where my personal friends & didnt have to worry about him/her covering their ass if they screwed up or if something went wrong. guess its all about job security now a days.

[Demonhood]

install this somewhere.

[olePigeon]

Exact same scenario at my school.

Just so happens they're running Windows for their server here too, so anything other than ports 80 and 81 are considered security hazards.

Of course, ports 80 and 81 are also security hazards since a properly formatted HTTP request from a website or email can allow you to run code on any PC.

I'm surprised they don't block off absolutely everything and tell to use our imagination.

[tintub]

Originally posted by Demonhood:
install this somewhere.

Thanks. I tried it but to no avail. We just have an HTTP proxy. I tried tunneling through it but I just get a 403 error. I think I would have to still get the port opened on the proxy. Or maybe I am just using it wrong?

[Phanguye]

download the program http tunnel... that might work... but it should just route everything through http proxy... the firewall wont even know what is going on

http://www.nocrew.org/software/httptunnel.html

there is the link

[The Mick]

Rather than going directly to the network admin, try making a business case to your department manager and see if he can put the request in to the IT dept from the top. Frankly, I work as a systems and network consultant, and I would never open IRC and SSH for one employee just because he/she asked me to. It's too risky and I don't need the liability floating over my head. However, if a higher-up in the company said to open it, I would inform he/she of the risks, then if they said to do it anyway, I would. It may sound stingy and anal to you, but data integrity and security are among our most important responsibilities. He's most likely not being an arsehole, he's protecting himself.

[macvillage.net]

Originally posted by The Mick:
Rather than going directly to the network admin, try making a business case to your department manager and see if he can put the request in to the IT dept from the top. Frankly, I work as a systems and network consultant, and I would never open IRC and SSH for one employee just because he/she asked me to. It's too risky and I don't need the liability floating over my head. However, if a higher-up in the company said to open it, I would inform he/she of the risks, then if they said to do it anyway, I would. It may sound stingy and anal to you, but data integrity and security are among our most important responsibilities. He's most likely not being an arsehole, he's protecting himself.

Good point.

If I were in the position (and hope to be once I finish school, heck I'm a Business MIS Major)... I wouldn't do it for an individual... but would if someone higher up knew the risks, and said it was needed.

Protection is important, but if the technology doesn't serve the needs of the business... then what's the point?

[BkueKanoodle]

I agree with The Mick. As a Net Admin myself, I would have serious qualms about opening up IRC for one employee, among other things.

Also do not try and use anything to get "around" the firewall. Eventually they will find out, and then you will have pissed off your IT department.

Having worked in IT for a long time, I can tell you that we always know more about whats going on in the company then we let on, so tread carefully.

[tintub]

Originally posted by BkueKanoodle:
I agree with The Mick. As a Net Admin myself, I would have serious qualms about opening up IRC for one employee, among other things.

Also do not try and use anything to get "around" the firewall. Eventually they will find out, and then you will have pissed off your IT department.

Having worked in IT for a long time, I can tell you that we always know more about whats going on in the company then we let on, so tread carefully.

I should point out that I am IN the (relatively small) IT department. We have about 5 programmers (of which I am one), a helpdesk guy, and 2 sys admins (who do different things but not sure how it works out). And we have a manager. We all work in the same room, and when I install something to get through the firewall, it isn't sneakily. He is happy for me to use stuff that goes out through the proxy, and even helped me out with the proxy settings. He just doesn't want to open up another port.

It isn't a large faceless company, so I don't think it will be a problem. I am going to try and install a CGI IRC client on my server, and that will solve most of my problems. If I need to get it opened, I am sure my boss will persuade the sys admin to open it (against the sys admin's better advice I am sure )

[olePigeon]

You could try telnetting to the Firewall.

You'd be amazed how many sys admins leave the telnet open and don't bother changing the default password.

Some people never understand what the serial port is for.