2 Replies Latest reply on Dec 18, 2014 4:55 AM by feickholt

    SSl Intercept and SSh

    feickholt

      Is there a way to control SSh over SSL?

       

      This mean: deny or permit ssh over ssl for user/groups?

       

      Is there a way to detect SSH over SSl? (maybe for counting?)

       

      Frank

        • 1. Re: SSl Intercept and SSh
          asabban

          Hi Frank,

           

          I am not sure if I remember correctly but I did some tests in regards to this in the past.

           

          SSH through MWG (SSL Scanner enabled) will (should) fail as there is no HTTP spoken within the SSL tunnel. MWG will not be able to detect that there is SSH within the SSL tunnel and apply any operations on this.

           

          What could work (I am not sure if this is accurate enough) is looking for the destination port. If you use a HTTPS proxy in PuTTy MWG will see a "CONNECT 192.168.0.1:22". The port 22 should end up in the "URL.Destination.Port" property and should be available before MWG breaks the tunnel. You could do something like this:

           

          1. When the User group is "SSL Allowed"  and URL.Destination.Port is 22 Then call "Stop Rule Set" before Content Inspection is called -> SSH allowed

          2. Otherwise call Content Inspection, which will break SSH or simply send a block page if URL.Destination.Port is 22, which will cause PuTTy to fail making the connection

           

          This will of course not help when someone sets up a Web Server which listens on port 22... access will be possible although no SSH is spoken within the tunnel. I don't think we have a way to explicitly allow/deny the protocol.

           

          Best,

          Andre

          • 2. Re: SSl Intercept and SSh
            feickholt

            Hi Andre,

             

            thanks for your answer.

            You are right.SSH over ssl with interception does not work...

            You will get an SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol error.

             

            I have to allow to intercept ssl traffic only to destination port 443 to get SSH over SSL tunneling working.

            So SSH Intercept does not work at all.... :-(

             

            This ends in another problem:

            If we enable SSL Intercept we have no clue what applications in place use the SSL Connect function to tunnel its data through the proxy. They will not work any longer.

             

            Do you have any list with application which will not work using SSL interception? (Skype....)

            Will the application property help us to find them?

             

            Frank