Re: Firewal with SSH inspection? (was Re: Firewall bake-off?)

[ArkanoiD <ark () eltex net>]

nuqneH,

well, i plan implementing reasonable non-transparent ssh
proxy for interactive sessions first and think on scp later maybe..

On Mon, Mar 19, 2007 at 07:19:09PM -0500, K K wrote:
> > My favorite example
> > is ssh: port forwarding allows a lot of sins to be hidden from
> > centralized access control, but "it's encrypted, so it must be
> > secure."  (Yes, there are ssh proxies that can address this, but
> > they're not a common feature in firewalls.)
>
> Are there ssh proxies that can address this?
>
> I know smart MITM proxies exist for SSL/TLS, but didn't realize there
> are transparent SSH proxies which can permit SSH logins and SCP/SFTP,
> but block (or better yet, control) port forwarding?
>
> I've been looking for this for a couple of years, but all I hear from
> vendors is "someday, soon".
>
> Currently I have a vendor who *insists* they need to tunnel outbound
> SSH from a production "appliance" over TCP/443 to an Internet host in
> the middle east, and doesn't understand why we can't change the policy
> to permit this "VPN".
>
> Actually, at first they didn't understand why the connections were
> failing, saying "But it 'just works' everywhere else we have this
> model server installed".
>
>
> Thanks,
>
> Kevin "I've got a project and a budget if you have a product" Kadow
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards