• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

A show of hands: Do you allow outbound SSH?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> A show of hands: Do you allow outbound SSH? Page: [1]
Login
Message << Older Topic   Newer Topic >>
A show of hands: Do you allow outbound SSH? - 17.Apr.2009 11:35:13 PM   
sketchy00

 

Posts: 67
Joined: 8.Aug.2008
From: Bellevue, WA
Status: offline
Just wanted to get some feedback as to how many of you allow outbound SSH from your LAN to external domains and hosts. Since deploying my ISA firewall last summer, I do not allow it for all but just a handfull of very specific external hosts. I commonly get raked over the coals for it by our Developers, and anyone else who wants to chime in. I've stuck to my guns though, and typically list the many reasons why it usually isn't allowed. Most don't seem to want to acknowledge the things that can be circumvented with SSH (and SSL for that matter, which why we purchased cleartunnel.) so it seems like I'm repeating myself over and over again, all for not.

I'd love to hear some feedback from all of you experts out there.

_____________________________

- Pete Koehler
Post #: 1
RE: A show of hands: Do you allow outbound SSH? - 18.Apr.2009 2:13:49 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
I'm mostly concerned about incoming rather than outgoing. If someone needs access and has a reasonable reason, then there are no issues.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to sketchy00)
Post #: 2
RE: A show of hands: Do you allow outbound SSH? - 18.Apr.2009 10:39:35 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Hey there friend! 

From my point of view, if someone needs outbound SSH access and can provide a business requirement for it, I would allow it.  Of course I would restrict access to only those hosts that the user requires access to, not the entire public Internet.  Principle of least privilege!

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to sketchy00)
Post #: 3
RE: A show of hands: Do you allow outbound SSH? - 18.Apr.2009 6:37:34 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: richardhicks

Hey there friend! 

From my point of view, if someone needs outbound SSH access and can provide a business requirement for it, I would allow it.  Of course I would restrict access to only those hosts that the user requires access to, not the entire public Internet.  Principle of least privilege!


Ditto, limit source and limit destaination as much as possible - SSH (like SSL) is always going to be a good conduit for hiding malicious outbound traffic. Limiting source and destination usage should help reduce the risk, if not mitigate it completely.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to richardhicks)
Post #: 4
RE: A show of hands: Do you allow outbound SSH? - 19.Apr.2009 12:11:26 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Documenting the access and getting management approval is a good idea as well.  Also, it's a good idea to go back and audit this access periodically.  Review the access logs and if no one has generated traffic on this access rule, go back to the business unit (or developer) and confirm that they still need the access.  Or just disable the rule and they'll complain when they can't connect next time.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to Jason Jones)
Post #: 5
RE: A show of hands: Do you allow outbound SSH? - 19.Apr.2009 6:40:18 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Absolutely agree...

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to richardhicks)
Post #: 6
RE: A show of hands: Do you allow outbound SSH? - 25.Apr.2009 6:26:49 PM   
sketchy00

 

Posts: 67
Joined: 8.Aug.2008
From: Bellevue, WA
Status: offline
Thanks for everyone's great input on the matter. I will continue to do as some of you suggested; blocking outbound ssh unless there is a specific site that warrants access. So far, so good!

(in reply to sketchy00)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> A show of hands: Do you allow outbound SSH? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts