Re: SSH tunneling/port forwarding and stateful packet inspection
From: Richard E. Silverman (res_at_qoxp.net)
Date: 02/27/04
- Next message: Nico Kadel-Garcia: "Re: Proposed enhancement to scp"
- Previous message: Darren Tucker: "Re: Proposed enhancement to scp"
- In reply to: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Next in thread: Darren Tucker: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Feb 2004 22:28:36 -0500
> I never said it WAS ssl traffic. I said the trace showed it to be ssl
> traffic and I know full well it is not.
You wrote, several times, that your "packet showed it was SSL" traffic.
You never mentioned that you knew it wasn't, and also wrote that the
firewall could not see inside the stream because it was encrypted by SSL,
which is incorrect. All this suggested you thought there was an SSL
connection somewhere in this scenario, so I was making sure you understood
there wasn't.
> So cut out the condescending tone already.
I'm sorry you saw it that way. I was not trying to be condescending; I
was trying to help you. If you'd rather I not bother, I will be more than
happy to drop it.
> I also know it is labeling it as such, which brings me back to my
> original point AND leads me to pose my next question - are there any
> firewalls that can see and block this type of traffic
What kind of traffic, exactly? I'm still not sure what you would like your
putative firewall to do.
If your question is this: "Is there a firewall that can selectively block
port-forwarding channels within an SSH connection based on their
destination sockets?" -- then the answer is of course, no. SSH
connections are encrypted; if a firewall could see inside them, this would
constitute a successful man-in-the-middle attack against SSH.
> (and not based on the previous response to "shut down traffic" based on
> the packet carrying "anything that says SSH" - this is plain
> ridiculous).
It was not ridiculous; Darren made a sincere and helpful attempt to
understand what you were trying to say -- which has been very unclear so
far -- and to make a suggestion. Ridiculing people who are trying to help
you is a good way to get no more help.
> > ... the port-forwarded TCP connections would still not be blocked by
> > the firewall, as the forwarding is happening at an entirely different
> > level, as I pointed out in my last post.
>
> I fail to see where you pinted that out. And when talkimg about
> "level" do you mean layers? If so, what layer would that be that - I
> would hope it would be on another layer.
There is nothing resembling a TCP connection corresponding to the SSH leg
of a port-forwarding -- there is only a channel within the SSH connection,
i.e. an application-layer protocol construct. This is a) invisible due to
encryption, and b) even if were cleartext it would require the firewall to
track the complete state of by the SSH Transport and Connection protocols
in order to even recognize them; this is much more than most firewalls
ever attempt to penetrate into layers above TCP. Furthermore, it could
not selectively block channels even if it could see them and wanted to,
since they do not consist of discrete sets of IP packets the firewall can
drop. It would have to essentially act as a stealth TCP-layer proxy and
hijack/alter the SSH TCP connection in order to do this -- which would
fail because of SSH integrity checking.
In short, this is simply not something which fits the model of a layer-3
forwarding device.
-- Richard Silverman res@qoxp.net
- Next message: Nico Kadel-Garcia: "Re: Proposed enhancement to scp"
- Previous message: Darren Tucker: "Re: Proposed enhancement to scp"
- In reply to: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Next in thread: Darren Tucker: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
