FTD detecting SSH Tunneled traffic?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2020 01:01 PM
I know FTD can block traffic based on Application and/or port. So, I could create one ACP rule to block TCP 22 and/or I could also create a ACP Rule for blocking SSH and OpenSSH traffic.
Question: Is there a way to block, let's say SSH when it tunnels HTTP but not when it carries native SSH traffic? SSH is encrypted traffic, so it would mean that the firewall would need to do a MITM on the 1st connection between the SSH client and the server. I don't think that FTD can do MITM on SSH.
Thanks for letting me know your thoughts on this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2020 11:08 PM
Preprocessor can detect mailformation in SSH traffic but not encoded
traffic.
**** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2020 12:07 AM
If you are talking about blocking SSH over non-standard ports then this should be possible using IPS. You do not need to do MITM to block tunneling over HTTP as HTTP will not encrypt the payload (over HTTPS then you would need to do MITM).
Please remember to select a correct answer and rate helpful posts
