I just saw an option in Fortinet NGFW regarding, SSH Deep Inspection. So my question is how Deep inspection or whatever can inspect or find any malicious activity on encrypted packets?
Asked
Active
Viewed 3,737 times
1 Answers
7
I'm not familiar exactly with what Fortinet offers and how they've implemented it. But in general SSH deep inspection is similar to SSL deep inspection: it does a man in the middle "attack" where the endpoint trusts the certificate or key provided by the inspection appliance. Same as in SSL inspection the original server key can not be used with the client (since the matching private key is only known to the server) but a fixed or dynamically generated key will be used instead. With SSL it is usually enough to add trust for the proxy CA to all clients in order to accept all generated certificates. But since SSH is commonly used without certificates and without PKI one needs to trust each server key directly. This is true SSH with and without SSH inspection, but with SSH inspection you cannot any longer use the original servers fingerprint to check if you got the correct key.
As for what you can do with such deep inspection: Looking at Fortinet: SSL/SSH inspection it seems to be that they support allowing or blocking shell access, executing programs, using X11 and using port forwarding through SSH. Other firewalls can also restrict access to subsystems (i.e. block sftp) or provide a more granular policy for which commands can be executed over SSH and which not.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
-
I know this is off-topic, but do you know what other firewalls implement this? https://softwarerecs.stackexchange.com/questions/50149/an-open-source-firewall-or-library-capable-of-doing-deep-ssh-inspection – user27636 May 14 '18 at 13:25
-
@user27636: The question you refer to asks about open source firewalls and I'm not aware of any which support SSH interception. But there are commercial firewalls apart from Fortinet which support this. – Steffen Ullrich May 14 '18 at 15:25