cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Can Outbound SSH be Secured?

With the proliferation of cloud services being used by both our customers and partners, we are getting dramatically increased pressure to allow outbound (internally initialed) SSH access between our company and these various customer and partner systems that are running on cloud services. We have no issue with using SSH for terminal access, but are concerned because of how SSH can be used to tunnel traffic. 

I understand that what makes SSH problematic to inspect is that it’s based on self-signed certificates, rather than PKI, so you can’t do decryption inspection like you can with a typical browser/HTTP access.

Are others in this community facing this same dilemma?  Should we be overly concerned about this? What are some ways that we can provide the access that is being requested as securely as possible?

I would appreciate any and all suggestions... whether or not this advice is purely based on CheckPoint policy/configuration or some other solution.

Thank you,

Mike

 

0 Kudos
1 Reply
Highlighted
Admin
Admin

Re: Can Outbound SSH be Secured?

Here's what I wrote a few years ago on this topic, which is still valid advice: http://phoneboy.org/2015/07/30/the-right-way-to-inspect-ssh-connections/

It's worth noting that Check Point is planning to support inbound SSH inspection in R80.40, with outbound SSH inspection on the roadmap.