Re: SSH tunneling/port forwarding and stateful packet inspection

From: steve (steph19731_at_yahoo.com)
Date: 02/26/04


Date: 25 Feb 2004 15:44:53 -0800

res@qoxp.net (Richard E. Silverman) wrote in message news:<96aea0e5.0402242202.2aebd7bb@posting.google.com>...
> > ... However, in doing a packet trace, I saw that the header of the
> > packet really is ssl traffic, but the actual port 3389 (term server)
> > traffic a) encrypted and b) encapsulated. So as far as teh SPI
> > functionality of the firewall is concerned, it is SSL traffic.
>
> Your terminology is confused and you want "SSH" here, not "SSL" (these are
> two entirely different protocols) -- but I suppose you've got the idea.
> All the firewall can see is a TCP connection whose contents are entirely
> opaque because they are encrypted. The fact that the connection is being
> to forward traffic between two other TCP connections elsewhere is
> invisible to the firewall.

My terminology is not mixed up. According to my packet trace, because
I have reconfigured SSH to run over port 443 the trace shows it as SSL
traffic. Of course the contents are encrypted. This is my whole
conclusion why the stateful packet inspection capabilities of the
firewall do not blow it going outbound. Because to it, it is just an
SSL packet encapsulating SSH data, which of course is encrypted.



Relevant Pages

  • RE: [fw-wiz] HTTPS proxy solutions
    ... Apache listens on the exterior (through a firewall), accepts the SSL ... connection and forwards the clear text HTTP to another internal server. ... What I'm thinking of is a proxy that gathers information about name ...
    (Firewall-Wizards)
  • =?Utf-8?Q?Re:_DNS_und_Zertifikatsprobleme_?= =?Utf-8?Q?bei_dummer_Dom=C3=A4nenbezeichnung?=
    ... SSL POP ist doch ok, oder was gäbe es dagegen zu sagen? ... Exchange wird per 1:1 NAT erreicht. ... Dann ist das keine Firewall sondern ein NAT-Router. ...
    (microsoft.public.de.exchange)
  • AW: SSL connections through firewall
    ... Subject: AW: SSL connections through firewall ... -For virus protection, have a corporate version of Virus Server. ...
    (Security-Basics)
  • RE: SSL connections through firewall
    ... the Corporate virus scanner. ... SSL would encrypt and authenticate. ... Subject: AW: SSL connections through firewall ...
    (Security-Basics)
  • Re: IIS Logon Credentials
    ... As far as SSL is concerned, ... Steve ... >would best to use 'basic' together with SSL to secure ... >> accessing through a cisco pix firewall via the ...
    (microsoft.public.inetserver.iis.security)