1 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Prevent SSH Tunneling using NGFW

Yudi Arijanto CISSP, CISM, GWAPT, PCNSE

System Engineer

Diagram

2 | © 2015, Palo Alto Networks. Confidential and Proprietary.

L3-untrust 192.168.55.20/24

L3-trust 192.168.45.20/24

Web-server 192.168.45.65/24

SSH Server 192.168.45.132/24

Win7 client 192.168.55.64/24

Port Forwarding

3 | © 2015, Palo Alto Networks. Confidential and Proprietary.

SSH Client Localhost:8888 SSH Server Web Server

http://192.168.45.65:80

Port 80

ssh tunnel (port 22)

NGFW

Win7 – SSH Client

4 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Setup SSH Tunneling using Putty.exe

5 | © 2015, Palo Alto Networks. Confidential and Proprietary.

SSH warning!

6 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Tunnel is ready! Localhost listening on port 8888

7 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Access remote web server through SSH

8 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Network Connection in Win7

9 | © 2015, Palo Alto Networks. Confidential and Proprietary.

NGFW Traffic Logs

10 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Now, we want to block ssh-tunnel

11 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Security Policy

12 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Decryption Policy

We allow only ssh app-id

Remote access to web server using SSH tunneling is blocked !

13 | © 2015, Palo Alto Networks. Confidential and Proprietary.

NGFW Traffic Logs

14 | © 2015, Palo Alto Networks. Confidential and Proprietary.

15 | © 2015, Palo Alto Networks. Confidential and Proprietary.