Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
656
Views
0
Helpful
1
Comments

What is SSH Tunneling or SSH Port Forwarding - What are the risks

Meddane
VIP
VIP

on ‎01-17-2024 02:13 PM

SSH Tunneling or SSH Port Forwarding is a technique to send data with an existing SSH Connection. For example a corporate network has an internal web serveR noT accessible from Internet and you want access internal resources securely, the SSH Tunneling or SSH Port Forwarding allows external users to use the SSH Encrypted Tunnel to send Web Traffic to the internal server. Basically you will send a non-SSH traffic over the SSH Tunnel, this is why it is referred to SSH Tunneling, you tunnel a non-SSH traffic inside an SSH Tunnel.

If we take an analogy or a comparison, the remote access VPN has the same logic.

Remote access VPN connects securely external users to internal resources through a VPN Gateway which can be a Firewall or a Router.

 External PC <-> VPN Gateway <-> Internal Web Server.

SSH Tunneling works the same ways. 

External PC <-> SSH Server <-> Internal Web Server.

The SSH Server will act like a VPN Gateway.

Let's take an example with Putty Application.

In this topology we have a Web Server in the internal network which not accessible from Internet. The SSH Server is accessible from Internet using for example a Static NAT, and an external client located in the outside world.

topo.png

 

The goal is to allow the external client to reach the web server through the SSH Server.

So first open the Putty application to access the command line of the SSH Server 192.168.1.61.

 

Meddane_0-1705529383365.png

In the Tunnels field, you enter the destination IP Address of the web server 10.1.6.150 and the port it listens to.

In the Source Port field select any port you desire, for example 8888.

 

Meddane_1-1705529383368.jpegMeddane_2-1705529383373.jpeg

The first step when you click the Open button, you connect to the SSH Server.

 

Meddane_3-1705529383385.jpeg

But in the background when you type 127.0.0.1:8888 in the web browser on the external client, you are redirected to the web server 10.1.6.150. Below the SSH Server and the netstat output.

 

Meddane_4-1705529383391.jpeg

 

Meddane_5-1705529383394.jpeg

 

Meddane_6-1705529383405.jpeg

But there are security risks with The SSH Tunneling, if you allow SSH using port-based filtering with the standard port 22, bad actors can use the SSH Port Forwarding as an evasion technique to send non-ssh traffic inside the SSH tunnel, which increases the attack surface because any application can use an open port.

Using the port-based filtering to allow the standard SSH Port, any application, SSH or not is allowed, so what if inside the SSH Tunnel there is threat or non-legitimate connection to your internal resources ? This is why, it's alway recommended to create policy rules based on application, not port.

So when you used SSH application in your policy rule as a matching criteria to allow SSH. Any application that is not identified as SSH is blocked, denying any attempt to do SSH Port Forwarding, therefore you reduce attack surface.

0 Helpful
Comments
WayneF11
Level 1
Level 1
‎05-06-2024 02:33 AM

Thanks for sharing this with us. It's so interesting and informative. aarp membership benefits

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents