LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   ssh over firewall (http://www.linuxquestions.org/questions/linux-security-4/ssh-over-firewall-4175440261/)

doublequote 12-06-2012 07:26 AM

ssh over firewall
 
Hi all,
I just need your professional opinion regarding the possible threats if the enterprise firewall opens tunnel for ssh connection. While I'm traveling, I want be able to connect to my servers using mobile ssh client, but the security department in my organization completely disables any type of external connections except VPN.
Do you have an idea what the reason for such paranoid security??? The ssh is very safe as far as I know...

Thanks in advance.

MensaWater 12-06-2012 07:47 AM

If you have vpn into the network why not open up a vpn session then use ssh (e.g. PuTTY) in your vpn protected setup?

Any protocol can be exploited even vpn and ssh. If they've opened up the firewall to allow for vpn why punch another hole in security by also opening ssh?

Those who do use ssh remotely often change to a nonstandard port (e.g. don't use 22) to help obfuscate the availability of ssh.

If your company allows you to create outbound connections as many do there ARE ways to setup your own tunnel but again I'd ask why not go ahead and use the vpn connection?

doublequote 12-06-2012 08:12 AM

Thanks for responding,
I'm talking about the situations when I don't have access to the desktop (while I'm traveling). I don't have the ability to connect to the VPN from my smartphone. This is why I asked if I can use ssh client application to connect somehow to the server and got strictly negative answer...
You also mentioned that "If they've opened up the firewall to allow for vpn why punch another hole in security by also opening ssh?".
This exactly my question: What is the concern to open ssh tunnel???

Thanks!

acid_kewpie 12-06-2012 08:38 AM

well all you've said is "ssh" generically, if you are permitting password authentication, then you're open to all sorts of brute force attacks in theory.

Fundamentally, the fewer routes in the safer. You want to open up a port over which they will have no control? It doesn't sound at all unreasonable to me.

MensaWater 12-06-2012 08:42 AM

The concern is simply to minimize exposure. If you have one port open to the world that is the only port that can be used as a vector for attack. If you have two ports open then you've allowed another vector. The first rule of security is turn off unnecessary services to minimize exposure. As I noted before any protocol can be exploited (even vpn and ssh) with enough effort. Do a web search for "how to hack ssh" and you'll find many hits. Does this mean ssh is really insecure - no - does it mean you shouldn't open it without a valid need - YES!

If you have a requirement to regularly access the system from locations other than your home then you might want to ask your organization to give you a VPN enabled laptop rather than a desktop.

doublequote 12-06-2012 08:56 AM

Ok, thanks, this make sense... So I have to carry on VPN enabled laptop with me...

sundialsvcs 12-06-2012 09:32 AM

In my opinion, your IT department's policy is correct: the gateway to the outside should be VPN. And furthermore, access to that VPN portal should be by means of individually-issued digital certificates, uniquely issued to you by them and therefore uniquely revocable by them.

Within the VPN portal, access to other resources should be as they would be considered appropriate within the building's hard-wired and presumably isolated local network. e.g. If a particular resources is ssh-only accessible within the walls, it should remain so by those who, through VPN, have "come within the walls."

But ssh should not in my opinion be exposed directly to the outside world. Your IT department has a single, centrally managed and centrally manageable, "gateway to the outside world," and that is VPN. No other alternative should exist.

VPN with certificates will enable you, and only you, to obtain access from anywhere. Simply enter the encryption-key for the certificate they gave you, and more-or-less ignore the existence of the encryption layer.

doublequote 12-06-2012 11:35 AM

I agree that the opening ssh connectivity to the external world is not safe. Thanks for explanation. However, carrying on the the laptop is not always easy and the network is not always available... A few times I found myself thousands miles away from my servers and was not able to connect and fix some small problems. I was need to instruct somebody over the phone how to log in and what to do, and unfortunately was need to expose sensitive application passwords as well without the ability to change them until I came back to work...
May be this email communication solution the evgenyz wrote about is good alternative (especially if they provide encrypted communication)?
Again, in 95% of the cases I can establish VPN connection from the desktop, but I'm talking about 5% of the situations that can be critical...
Thanks any way!

MensaWater 12-07-2012 08:24 AM

Quote:

Originally Posted by doublequote (Post 4843796)
Ok, thanks, this make sense... So I have to carry on VPN enabled laptop with me...

Yes. This is what I've done for years. That doesn't mean I carry it around all the time but if I'm going to be away from home at some distance or for an some extended time I do have the laptop in the trunk of my car so I'm never more than a few minutes from it.

I'd really hate to have to try to troubleshoot server issues from a smart phone. Not saying it isn't possible but I do believe it would take more effort than I'd want to have to make in the middle of whatever issue caused me to access the server in the first place.

acid_kewpie 12-07-2012 08:44 AM

Note that there are plenty of ways to get a VPN to an insecure machine. Cisco, F5 and many others have vm based solutions which can deliver an entire desktop in jvm form to you via a browser connection. It's just all about playing by the corporate rules.

doublequote 12-07-2012 02:03 PM

Quote:

Originally Posted by MensaWater (Post 4844539)
Yes. This is what I've done for years. That doesn't mean I carry it around all the time but if I'm going to be away from home at some distance or for an some extended time I do have the laptop in the trunk of my car so I'm never more than a few minutes from it.

I'd really hate to have to try to troubleshot server issues from a smart phone. Not saying it isn't possible but I do believe it would take more effort than I'd want to have to make in the middle of whatever issue caused me to access the server in the first place.

Yes, but this more personal preference rather than professional opinion. Personally, I would love to have an option to access the servers from smart phone. Just as an "extra" option which is nice to have when it available...

MensaWater 12-10-2012 09:37 AM

You may get it some day. I've heard buzz about BYOD (Bring Your Own Device) in recent months. Once companies realize they can save money by making you provide your own equipment they may be willing to setup the infrastructure that helps securely allow for it. (Or more frighteningly will simply do it without regard to security.)

acid_kewpie 12-10-2012 11:30 AM

Quote:

Originally Posted by MensaWater (Post 4846293)
You may get it some day. I've heard buzz about BYOD (Bring Your Own Device) in recent months. Once companies realize they can save money by making you provide your own equipment they may be willing to setup the infrastructure that helps securely allow for it. (Or more frighteningly will simply do it without regard to security.)

Or rather - "companies read somewhere and then get it into their read they can save money". YMMV!


All times are GMT -5. The time now is 12:43 PM.