Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mike_Schepers
Participant

Can Outbound SSH be Secured?

With the proliferation of cloud services being used by both our customers and partners, we are getting dramatically increased pressure to allow outbound (internally initialed) SSH access between our company and these various customer and partner systems that are running on cloud services. We have no issue with using SSH for terminal access, but are concerned because of how SSH can be used to tunnel traffic. 

I understand that what makes SSH problematic to inspect is that it’s based on self-signed certificates, rather than PKI, so you can’t do decryption inspection like you can with a typical browser/HTTP access.

Are others in this community facing this same dilemma?  Should we be overly concerned about this? What are some ways that we can provide the access that is being requested as securely as possible?

I would appreciate any and all suggestions... whether or not this advice is purely based on CheckPoint policy/configuration or some other solution.

Thank you,

Mike

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Here's what I wrote a few years ago on this topic, which is still valid advice: http://phoneboy.org/2015/07/30/the-right-way-to-inspect-ssh-connections/

It's worth noting that Check Point is planning to support inbound SSH inspection in R80.40, with outbound SSH inspection on the roadmap.
Timothy_Hall
Legend Legend
Legend

Sorry to bump such an old thread but SSH Deep Packet Inspection was introduced in R80.40+ and is documented in the R80.40+ Threat Prevention Administration Guide.  It is a CLI-based setup and not configured from the SmartConsole, even as of R81.10.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events