1 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Prevent SSH Tunneling using NGFW
Yudi Arijanto CISSP, CISM, GWAPT, PCNSE
System Engineer
Diagram
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
L3-untrust 192.168.55.20/24
L3-trust 192.168.45.20/24
Web-server 192.168.45.65/24
SSH Server 192.168.45.132/24
Win7 client 192.168.55.64/24
Port Forwarding
3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
SSH Client Localhost:8888 SSH Server Web Server
http://192.168.45.65:80
Port 80
ssh tunnel (port 22)
NGFW
Win7 – SSH Client
4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Setup SSH Tunneling using Putty.exe
5 | © 2015, Palo Alto Networks. Confidential and Proprietary.
SSH warning!
6 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Tunnel is ready! Localhost listening on port 8888
7 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Access remote web server through SSH
8 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Network Connection in Win7
9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
NGFW Traffic Logs
10 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Now, we want to block ssh-tunnel
11 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Security Policy
12 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Decryption Policy
We allow only ssh app-id
Remote access to web server using SSH tunneling is blocked !
13 | © 2015, Palo Alto Networks. Confidential and Proprietary.
NGFW Traffic Logs
14 | © 2015, Palo Alto Networks. Confidential and Proprietary.
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.