This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_Schepers
Participant
‎2019-10-25 10:32 AM

Can Outbound SSH be Secured?

With the proliferation of cloud services being used by both our customers and partners, we are getting dramatically increased pressure to allow outbound (internally initialed) SSH access between our company and these various customer and partner systems that are running on cloud services. We have no issue with using SSH for terminal access, but are concerned because of how SSH can be used to tunnel traffic. 

I understand that what makes SSH problematic to inspect is that it’s based on self-signed certificates, rather than PKI, so you can’t do decryption inspection like you can with a typical browser/HTTP access.

Are others in this community facing this same dilemma?  Should we be overly concerned about this? What are some ways that we can provide the access that is being requested as securely as possible?

I would appreciate any and all suggestions... whether or not this advice is purely based on CheckPoint policy/configuration or some other solution.

Thank you,

Mike

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-10-25 10:43 AM

Here's what I wrote a few years ago on this topic, which is still valid advice: http://phoneboy.org/2015/07/30/the-right-way-to-inspect-ssh-connections/

It's worth noting that Check Point is planning to support inbound SSH inspection in R80.40, with outbound SSH inspection on the roadmap.
Timothy_Hall
Legend Legend
Legend
‎2021-08-19 07:30 AM
In response to PhoneBoy

Sorry to bump such an old thread but SSH Deep Packet Inspection was introduced in R80.40+ and is documented in the R80.40+ Threat Prevention Administration Guide.  It is a CLI-based setup and not configured from the SmartConsole, even as of R81.10.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top