Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1534
Views
0
Helpful
2
Replies

FTD detecting SSH Tunneled traffic?

cpaquet
Level 1
Level 1

‎11-03-2020 01:01 PM

I know FTD can block traffic based on Application and/or port.  So, I could create one ACP rule to block TCP 22 and/or I could also create a ACP Rule for blocking SSH and OpenSSH traffic.

 

Question: Is there a way to block, let's say SSH when it tunnels HTTP but not when it carries native SSH traffic?  SSH is encrypted traffic, so it would mean that the firewall would need to do a MITM on the 1st connection between the SSH client and the server.  I don't think that FTD can do MITM on SSH.

 

Thanks for letting me know your thoughts on this.

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎11-03-2020 11:08 PM

I don't think you can detect it because it's encrypted as you listed. SSH
Preprocessor can detect mailformation in SSH traffic but not encoded
traffic.


**** please remember to rate useful posts
0 Helpful

Marius Gunnerud
VIP
VIP

‎11-04-2020 12:07 AM

If you are talking about blocking SSH over non-standard ports then this should be possible using IPS.  You do not need to do MITM to block tunneling over HTTP as HTTP will not encrypt the payload (over HTTPS then you would need to do MITM).

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card