Firewall Wizards mailing list archives
Re: Firewal with SSH inspection? (was Re: Firewall bake-off?)
From: ArkanoiD <ark () eltex net>
Date: Tue, 20 Mar 2007 17:19:45 +0300
nuqneH, well, i plan implementing reasonable non-transparent ssh proxy for interactive sessions first and think on scp later maybe.. On Mon, Mar 19, 2007 at 07:19:09PM -0500, K K wrote:
My favorite example is ssh: port forwarding allows a lot of sins to be hidden from centralized access control, but "it's encrypted, so it must be secure." (Yes, there are ssh proxies that can address this, but they're not a common feature in firewalls.)Are there ssh proxies that can address this? I know smart MITM proxies exist for SSL/TLS, but didn't realize there are transparent SSH proxies which can permit SSH logins and SCP/SFTP, but block (or better yet, control) port forwarding? I've been looking for this for a couple of years, but all I hear from vendors is "someday, soon". Currently I have a vendor who *insists* they need to tunnel outbound SSH from a production "appliance" over TCP/443 to an Internet host in the middle east, and doesn't understand why we can't change the policy to permit this "VPN". Actually, at first they didn't understand why the connections were failing, saying "But it 'just works' everywhere else we have this model server installed". Thanks, Kevin "I've got a project and a budget if you have a product" Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewal with SSH inspection? (was Re: Firewall bake-off?) K K (Mar 19)
- Re: Firewal with SSH inspection? (was Re: Firewall bake-off?) ArkanoiD (Mar 20)
- Re: Firewal with SSH inspection? (was Re: Firewall bake-off?) Magosányi Árpád (Mar 20)