Firewall Wizards mailing list archives
Firewal with SSH inspection? (was Re: Firewall bake-off?)
From: "K K" <kkadow () gmail com>
Date: Mon, 19 Mar 2007 19:19:09 -0500
On 3/19/07, Jim MacLeod <jmacleod () gmail com> wrote:
Similarly, a layer 7 proxy does not provide any more security than a layer 4 stateful packet filter - for a given protocol - if the layer 7 element does not enforce rules for that protocol.
Aside from some grumblings about fragment reassembly, you won't find any arguments against that statement here.
My favorite example is ssh: port forwarding allows a lot of sins to be hidden from centralized access control, but "it's encrypted, so it must be secure." (Yes, there are ssh proxies that can address this, but they're not a common feature in firewalls.)
Are there ssh proxies that can address this? I know smart MITM proxies exist for SSL/TLS, but didn't realize there are transparent SSH proxies which can permit SSH logins and SCP/SFTP, but block (or better yet, control) port forwarding? I've been looking for this for a couple of years, but all I hear from vendors is "someday, soon". Currently I have a vendor who *insists* they need to tunnel outbound SSH from a production "appliance" over TCP/443 to an Internet host in the middle east, and doesn't understand why we can't change the policy to permit this "VPN". Actually, at first they didn't understand why the connections were failing, saying "But it 'just works' everywhere else we have this model server installed". Thanks, Kevin "I've got a project and a budget if you have a product" Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewal with SSH inspection? (was Re: Firewall bake-off?) K K (Mar 19)
- Re: Firewal with SSH inspection? (was Re: Firewall bake-off?) ArkanoiD (Mar 20)
- Re: Firewal with SSH inspection? (was Re: Firewall bake-off?) Magosányi Árpád (Mar 20)