Re: SSH tunneling/port forwarding and stateful packet inspection

From: Richard E. Silverman (res_at_qoxp.net)
Date: 02/26/04

• Next message: Per Hedeland: "Re: OpenSSH 3.8 Released"
• Previous message: Darren Tucker: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• In reply to: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Next in thread: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Reply: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Reply: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 25 Feb 2004 21:18:15 -0500

> My terminology is not mixed up. According to my packet trace, because I
> have reconfigured SSH to run over port 443 the trace shows it as SSL
> traffic.

You are mistaken. Your packet trace identifies the TCP connection as
carrying the SSL protocol simply because the destination port is 443,
which is the well-known port for HTTP over SSL. In other words, your
tracing tool is not inspecting the contents of the connection, merely
labelling it on the basis of the destination port -- which in this case is
misleading because you happen to be running an SSH server on the port
normally used for HTTPS.

> Of course the contents are encrypted. This is my whole conclusion why
> the stateful packet inspection capabilities of the firewall do not blow
> it going outbound. Because to it, it is just an SSL packet encapsulating
> SSH data, which of course is encrypted.

The data are indeed encrypted, but by SSH; there is no SSL connection
anywhere in this scenario. Also, even if it were not encrypted
(e.g. select the "none" cipher for the SSH connection), the port-forwarded
TCP connections would still not be blocked by the firewall, as the
forwarding is happening at an entirely different level, as I pointed out
in my last post.

-- 
  Richard Silverman
  res@qoxp.net

---

• Next message: Per Hedeland: "Re: OpenSSH 3.8 Released"
• Previous message: Darren Tucker: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• In reply to: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Next in thread: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Reply: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Reply: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: RWW with no https ... I do not consider a:8080 a url that is appropriate for a SSL end user connection. ... So just so we are all clear, RWW HAS to go over HTTPS. ... Even if I do https but port 8080 would not matter ... (microsoft.public.windows.server.sbs) UPDATE: Re: Question regarding SSH via Lantronix SCS100 ... to do SSH and to authenticate the SSH connection with a local ... unexpectedly closed connection'. ... CONSOLE or AUX port on the router, or does it matter, and what ... (comp.dcom.sys.cisco) Re: SSH options re: NAT ... No, SSH is two-fold, a call to it on the client side results in a call ... port, meaning that any connections that come into that port are answered ... programming practice for daemons) Once the connection is established, ... don't want to execute a command on the remote side and you use -N. ... (comp.security.ssh) Re: OpenSSH remote port forwarding ... use an outgoing SSH connection from here to the Internet... ... Incoming SSH it is possible and it is working. ... > I read many docs on the OpenSSH port forwarding, ... > (this command should open an ssh connection to public-machine and there, ... (comp.security.ssh) Re: SFTP ... > avoid port transient net devices dropping port 22 ... Port 21 is allocated for FTP, not SSH. ... SSH connection. ... Do not get it mixed up with FTPS. ... (SSH)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)