A problem after a firewall - no matter how secure the firewall is
itself - is that users put (for whatever reason) connections to
the "secure" side that act as backdoors.
How do you determine if such a thing has been done (after the connection has been made but before disaster befalls)? I'm
looking at the output of netstat on every node at both the
routes and the remote nodes connected to. I use a simple script
to extract the information from netstat and netstat -r. Does anyone
have other recommendations?