kantver - Fotolia

Q
Manage Learn to apply best practices and optimize your operations.

Should I allow SSH tunneling connections through the firewall?

Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust your users.

Whether or not to allow SSH tunneling depends on the amount of risk one is willing to tolerate. I advise against it.

Savvy end users like to conduct operations via secure shell (SSH) tunneling when firewall rules hinder their access to various remote services. Sometimes a user chooses SSH tunneling when conducting operations from a publicly available Wi-Fi network, such as those located in hotels and coffee shops. One can never be too certain of the encryption level utilized on a public network or of the network's overall security, and SSH tunneling provides the end user an extra layer of encryption.

In many cases, tunneling occurs without the system administrator's knowledge, but you ask whether to explicitly allow it. This depends on your level of risk tolerance. If you allow tunneling, certain end users will perform operations that subvert the firewall infrastructure. I don't recommend this, and here's why:

Let's assume that an end user is attempting to access an explicit site -- for this example, explicitsite.com -- but the site is blocked at the firewall. A traditional SSH tunnel, which uses local port forwarding, connects to a remotely located server outside of the local area network, and therefore beyond the reach of the local firewall, via SSH. This presumes that SSH is capable of passing through the firewall. With the firewall no longer a roadblock, the user configures a remotely located box to forward a local port via the following command:

$ ssh -L 7777:explicitsite.com:80 user@example.com

This tells the remotely located SSH server to forward the local port, or server port, to explicitsite.com:80. At this point, the user just opens a browser on their local machine, and navigates to http://localhost:7777.

What's the harm in this? There is no way for the security or systems administrator to keep track of which site the user is actually accessing; all that appears in a packet capture or the firewall logs is an SSH connection to the remotely located server. No record of the explicit site is available.

Allowing SSH tunneling comes with significant risk to the network. However, if system administrators are certain that the individuals performing these functions are trustworthy and the tunneling enables them to perform their duties more easily and safely, consider allowing it as needed.

Next Steps

An in-depth look at enterprise VPN options

Employees ignore policy, and other upsetting security trends

Network access control: Because it could happen to you

This was last published in November 2016

Dig Deeper on IT Log Management and Reporting

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How carefully do you monitor employee or customer activity on IT resources?
Cancel

-ADS BY GOOGLE

SearchDataCenter

SearchAWS

SearchServerVirtualization

SearchCloudApplications

SearchCloudComputing

Close