cancel
Showing results for 
Search instead for 
Did you mean: 
feickholt
Level 10

SSl Intercept and SSh

Is there a way to control SSh over SSL?

This mean: deny or permit ssh over ssl for user/groups?

Is there a way to detect SSH over SSl? (maybe for counting?)

Frank

0 Kudos
2 Replies
asabban
Level 17

Re: SSl Intercept and SSh

Hi Frank,

I am not sure if I remember correctly but I did some tests in regards to this in the past.

SSH through MWG (SSL Scanner enabled) will (should) fail as there is no HTTP spoken within the SSL tunnel. MWG will not be able to detect that there is SSH within the SSL tunnel and apply any operations on this.

What could work (I am not sure if this is accurate enough) is looking for the destination port. If you use a HTTPS proxy in PuTTy MWG will see a "CONNECT 192.168.0.1:22". The port 22 should end up in the "URL.Destination.Port" property and should be available before MWG breaks the tunnel. You could do something like this:

1. When the User group is "SSL Allowed"  and URL.Destination.Port is 22 Then call "Stop Rule Set" before Content Inspection is called -> SSH allowed

2. Otherwise call Content Inspection, which will break SSH or simply send a block page if URL.Destination.Port is 22, which will cause PuTTy to fail making the connection

This will of course not help when someone sets up a Web Server which listens on port 22... access will be possible although no SSH is spoken within the tunnel. I don't think we have a way to explicitly allow/deny the protocol.

Best,

Andre

0 Kudos
feickholt
Level 10

Re: SSl Intercept and SSh

Hi Andre,

thanks for your answer.

You are right.SSH over ssl with interception does not work...

You will get an SSL routinesSmiley FrustratedSL23_GET_SERVER_HELLO:unknown protocol error.

I have to allow to intercept ssl traffic only to destination port 443 to get SSH over SSL tunneling working.

So SSH Intercept does not work at all.... :-(

This ends in another problem:

If we enable SSL Intercept we have no clue what applications in place use the SSL Connect function to tunnel its data through the proxy. They will not work any longer.

Do you have any list with application which will not work using SSL interception? (Skype....)

Will the application property help us to find them?

Frank

0 Kudos