Guys, we have on premise developers who need to SSH to AWS EC2 VMs. I'd like to do this in a controlled manner. Wondering if McAfee have anything that can proxy these connections so we can terminate SSL and inspect traffic on them ?
Solved! Go to Solution.
I will concur with the above posters. just one small caveat. The HTTP will Tunnel the SSH using the HTTP CONNECT compatible client (PUTTY, WINSCP, FileZilla). Web gateway detects the SSH stream as an SSL/TLS and will initiate a TLS connection to the remote server (at a minimum to validate teh x509 certificate in a Client/Server Hello).
You need to prevent this TLS handshake with a Stop RuleSet rather than a Stop Cycle. so that you are bypassing unless its true SSH.
Hi,
Hope you are doing well.
The best way to pass SSH traffic on MWG is to use SOCKS Proxy.(version >7.4.2)(configure new port for this if you want, per default 1080). With version >= 7.4.2 you will find a "SOCKS Proxy" ruleset in the library.
By default SOCKS proxy port is 1080.
Just enable the port under Configuration>Proxies and create a policy for SOCKS traffic by using Common Rules > SOCKS Proxy from the Rule Library.
You can enable SOCKS proxy by navigating to configuration->Appliance->Proxies->SOCKS Proxy->Enable it.
Then in Policy tab you need to import SOCKS proxy rule set from library.SOCKS proxy rule set is present under Common rules.
Please refer below link to know more about SOCKS proxy:-
Page 90.
It is seen that SSH connection does not work with SSL Scanning enabled and filtering possible is at the domain/IP:port level.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Regards
Alok Sarda
additionally to SOCKS tunneling there is other, more simple way to allow SSH via MWG - using HTTP CONNECT:
Just place this rule above the HTTPS Scanner:
Name:
Allow SSH from 10.20.30.40 to ssh.example.com
Comment:
Rule Criteria:
Connection.IP equals 10.20.30.40 AND
URL.Host equals "ssh.example.com" AND
Command.Name equals "CONNECT"
Action:
Stop Cycle
In putty configure HTTP Proxy:
tunneling SSH via McAfee Web Gateway
Check that the firewall allows outgoing connections from MWG to the destination host via SSH (TCP Port 22 by default).
Be aware that this method has some performance impact comparing to the SOCKS method.
To do the rule more secure you can add a basic auth and the port restiction.
You can control it with a whitelist. Just define a list of allowed hosts, and use that along with port 22 to allow or block. You cannot do ssl inspection on this traffic.
url.host is in SSH_LIST and URL.Port equals 22, Stop Cycle
Putty allows for proxy of SSH connections. It's fairly straightforward to setup, and no SOCKS proxy is required.
I will concur with the above posters. just one small caveat. The HTTP will Tunnel the SSH using the HTTP CONNECT compatible client (PUTTY, WINSCP, FileZilla). Web gateway detects the SSH stream as an SSL/TLS and will initiate a TLS connection to the remote server (at a minimum to validate teh x509 certificate in a Client/Server Hello).
You need to prevent this TLS handshake with a Stop RuleSet rather than a Stop Cycle. so that you are bypassing unless its true SSH.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA