topic Re: FTD detecting SSH Tunneled traffic? in Network Security

FTD detecting SSH Tunneled traffic?

cpaquet — Tue, 03 Nov 2020 21:01:25 GMT

I know FTD can block traffic based on Application and/or port. So, I could create one ACP rule to block TCP 22 and/or I could also create a ACP Rule for blocking SSH and OpenSSH traffic.

Question: Is there a way to block, let's say SSH when it tunnels HTTP but not when it carries native SSH traffic? SSH is encrypted traffic, so it would mean that the firewall would need to do a MITM on the 1st connection between the SSH client and the server. I don't think that FTD can do MITM on SSH.

Thanks for letting me know your thoughts on this.

Re: FTD detecting SSH Tunneled traffic?

Mohammed al Baqari — Wed, 04 Nov 2020 07:08:13 GMT

I don't think you can detect it because it's encrypted as you listed. SSH
Preprocessor can detect mailformation in SSH traffic but not encoded
traffic.

**** please remember to rate useful posts

Re: FTD detecting SSH Tunneled traffic?

Marius Gunnerud — Wed, 04 Nov 2020 08:07:47 GMT

If you are talking about blocking SSH over non-standard ports then this should be possible using IPS. You do not need to do MITM to block tunneling over HTTP as HTTP will not encrypt the payload (over HTTPS then you would need to do MITM).