Posts: 67
Joined: 8.Aug.2008
From: Bellevue, WA
Status: offline
Just wanted to get some feedback as to how many of you allow outbound SSH from your LAN to external domains and hosts. Since deploying my ISA firewall last summer, I do not allow it for all but just a handfull of very specific external hosts. I commonly get raked over the coals for it by our Developers, and anyone else who wants to chime in. I've stuck to my guns though, and typically list the many reasons why it usually isn't allowed. Most don't seem to want to acknowledge the things that can be circumvented with SSH (and SSL for that matter, which why we purchased cleartunnel.) so it seems like I'm repeating myself over and over again, all for not.
I'd love to hear some feedback from all of you experts out there.
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Hey there friend!
From my point of view, if someone needs outbound SSH access and can provide a business requirement for it, I would allow it. Of course I would restrict access to only those hosts that the user requires access to, not the entire public Internet. Principle of least privilege!
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: richardhicks
Hey there friend!
From my point of view, if someone needs outbound SSH access and can provide a business requirement for it, I would allow it. Of course I would restrict access to only those hosts that the user requires access to, not the entire public Internet. Principle of least privilege!
Ditto, limit source and limit destaination as much as possible - SSH (like SSL) is always going to be a good conduit for hiding malicious outbound traffic. Limiting source and destination usage should help reduce the risk, if not mitigate it completely.
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Documenting the access and getting management approval is a good idea as well. Also, it's a good idea to go back and audit this access periodically. Review the access logs and if no one has generated traffic on this access rule, go back to the business unit (or developer) and confirm that they still need the access. Or just disable the rule and they'll complain when they can't connect next time.
Posts: 67
Joined: 8.Aug.2008
From: Bellevue, WA
Status: offline
Thanks for everyone's great input on the matter. I will continue to do as some of you suggested; blocking outbound ssh unless there is a specific site that warrants access. So far, so good!
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> A show of hands: Do you allow outbound SSH? 
A show of hands: Do you allow outbound SSH? - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread