kantver - Fotolia
Whether or not to allow SSH tunneling depends on the amount of risk one is willing to tolerate. I advise against it.
Savvy end users like to conduct operations via secure shell (SSH) tunneling when firewall rules hinder their access to various remote services. Sometimes a user chooses SSH tunneling when conducting operations from a publicly available Wi-Fi network, such as those located in hotels and coffee shops. One can never be too certain of the encryption level utilized on a public network or of the network's overall security, and SSH tunneling provides the end user an extra layer of encryption.
In many cases, tunneling occurs without the system administrator's knowledge, but you ask whether to explicitly allow it. This depends on your level of risk tolerance. If you allow tunneling, certain end users will perform operations that subvert the firewall infrastructure. I don't recommend this, and here's why:
Let's assume that an end user is attempting to access an explicit site -- for this example, explicitsite.com -- but the site is blocked at the firewall. A traditional SSH tunnel, which uses local port forwarding, connects to a remotely located server outside of the local area network, and therefore beyond the reach of the local firewall, via SSH. This presumes that SSH is capable of passing through the firewall. With the firewall no longer a roadblock, the user configures a remotely located box to forward a local port via the following command:
$ ssh -L 7777:explicitsite.com:80 [email protected]
This tells the remotely located SSH server to forward the local port, or server port, to explicitsite.com:80. At this point, the user just opens a browser on their local machine, and navigates to http://localhost:7777.
What's the harm in this? There is no way for the security or systems administrator to keep track of which site the user is actually accessing; all that appears in a packet capture or the firewall logs is an SSH connection to the remotely located server. No record of the explicit site is available.
Allowing SSH tunneling comes with significant risk to the network. However, if system administrators are certain that the individuals performing these functions are trustworthy and the tunneling enables them to perform their duties more easily and safely, consider allowing it as needed.
An in-depth look at enterprise VPN options
Employees ignore policy, and other upsetting security trends
Network access control: Because it could happen to you
Dig Deeper on IT Log Management and Reporting
Related Q&A from Brad Casey
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading
I have only seen companies deploy a NetBackup master server on a physical server. Are there any drawbacks to using a VM as a NetBackup master server? Continue Reading