[fw-wiz] Firewal with SSH inspection? (was Re: Firewall bake-off?)

On 3/19/07, Jim MacLeod <jmacleod@xxxxxxxxx> wrote:
Similarly, a layer 7 proxy does not provide any more security than a
layer 4 stateful packet filter - for a given protocol - if the layer 7
element does not enforce rules for that protocol.

Aside from some grumblings about fragment reassembly, you won't find
any arguments against that statement here.

My favorite example
is ssh: port forwarding allows a lot of sins to be hidden from
centralized access control, but "it's encrypted, so it must be
secure." (Yes, there are ssh proxies that can address this, but
they're not a common feature in firewalls.)

Are there ssh proxies that can address this?

I know smart MITM proxies exist for SSL/TLS, but didn't realize there
are transparent SSH proxies which can permit SSH logins and SCP/SFTP,
but block (or better yet, control) port forwarding?

I've been looking for this for a couple of years, but all I hear from
vendors is "someday, soon".

Currently I have a vendor who *insists* they need to tunnel outbound
SSH from a production "appliance" over TCP/443 to an Internet host in
the middle east, and doesn't understand why we can't change the policy
to permit this "VPN".

Actually, at first they didn't understand why the connections were
failing, saying "But it 'just works' everywhere else we have this
model server installed".


Kevin "I've got a project and a budget if you have a product" Kadow
firewall-wizards mailing list