topic Re: Can Outbound SSH be Secured? in General Topics

Can Outbound SSH be Secured?

Mike_Schepers — Fri, 25 Oct 2019 17:32:56 GMT

With the proliferation of cloud services being used by both our customers and partners, we are getting dramatically increased pressure to allow outbound (internally initialed) SSH access between our company and these various customer and partner systems that are running on cloud services. We have no issue with using SSH for terminal access, but are concerned because of how SSH can be used to tunnel traffic.

I understand that what makes SSH problematic to inspect is that it’s based on self-signed certificates, rather than PKI, so you can’t do decryption inspection like you can with a typical browser/HTTP access.

Are others in this community facing this same dilemma? Should we be overly concerned about this? What are some ways that we can provide the access that is being requested as securely as possible?

I would appreciate any and all suggestions... whether or not this advice is purely based on CheckPoint policy/configuration or some other solution.

Thank you,

Mike

Re: Can Outbound SSH be Secured?

PhoneBoy — Fri, 25 Oct 2019 17:43:10 GMT

Here's what I wrote a few years ago on this topic, which is still valid advice: http://phoneboy.org/2015/07/30/the-right-way-to-inspect-ssh-connections/

It's worth noting that Check Point is planning to support inbound SSH inspection in R80.40, with outbound SSH inspection on the roadmap.

Re: Can Outbound SSH be Secured?

Timothy_Hall — Thu, 19 Aug 2021 14:30:59 GMT

Sorry to bump such an old thread but SSH Deep Packet Inspection was introduced in R80.40+ and is documented in the R80.40+ Threat Prevention Administration Guide. It is a CLI-based setup and not configured from the SmartConsole, even as of R81.10.