Re: [fw-wiz] Firewal with SSH inspection? (was Re: Firewall bake-off?)


well, i plan implementing reasonable non-transparent ssh
proxy for interactive sessions first and think on scp later maybe..

On Mon, Mar 19, 2007 at 07:19:09PM -0500, K K wrote:

My favorite example
is ssh: port forwarding allows a lot of sins to be hidden from
centralized access control, but "it's encrypted, so it must be
secure." (Yes, there are ssh proxies that can address this, but
they're not a common feature in firewalls.)

Are there ssh proxies that can address this?

I know smart MITM proxies exist for SSL/TLS, but didn't realize there
are transparent SSH proxies which can permit SSH logins and SCP/SFTP,
but block (or better yet, control) port forwarding?

I've been looking for this for a couple of years, but all I hear from
vendors is "someday, soon".

Currently I have a vendor who *insists* they need to tunnel outbound
SSH from a production "appliance" over TCP/443 to an Internet host in
the middle east, and doesn't understand why we can't change the policy
to permit this "VPN".

Actually, at first they didn't understand why the connections were
failing, saying "But it 'just works' everywhere else we have this
model server installed".


Kevin "I've got a project and a budget if you have a product" Kadow
firewall-wizards mailing list
firewall-wizards mailing list