02-19-2020 08:49 AM - edited 02-19-2020 08:50 AM
We have a server in our DMZ that is allowing from the internet the SSH application via our Palo Alto firewall. The server in the DMZ is very well locked down and the application on the server that facilitates the SSH session is a highly rated 3rd party application that allows vendors to connect to servers in your network. I've read and heard how safe\unsafe SSH is, but I cant find anything that makes itr seem to me any less safe than ipsec vpn or https.
Any thoughts?
Also, I see that the applications for SSH the security rule include:
SSH
SSH-Tunnel
Is there a preference?
Thanks.
02-19-2020 09:26 AM
"Is it safe" is going to be a relative term. I would say it's going to depend on what source on the Internet can come to to SSH to a device in your DMZ.
If your security rule for your DMZ defines a specific source object from the Internet can use the SSH application to SSH to your DMZ server I would say it's safe to allow provided you're using threat signatures. I would also probably try to establish SSH tunnel decryption for this rule, but that would depend on how much you trust the source devices on the Internet.
02-19-2020 09:26 AM
"Is it safe" is going to be a relative term. I would say it's going to depend on what source on the Internet can come to to SSH to a device in your DMZ.
If your security rule for your DMZ defines a specific source object from the Internet can use the SSH application to SSH to your DMZ server I would say it's safe to allow provided you're using threat signatures. I would also probably try to establish SSH tunnel decryption for this rule, but that would depend on how much you trust the source devices on the Internet.
02-19-2020 09:47 AM
Hello,
I agree with @Brandon_Wertz , it depends on the source. With that said, i would create a whitelist that allows only known good trusted sources to access. This would be by IP address, DNS name, etc. Do no do it by Country/region.
Remember, if its accessible from the internet, its going to be probed/scanned, and someone will try to break into it.
Caution is warranted in the case.
Regards,
02-19-2020 10:58 AM
I agree with the above statements that the safety is relative. In addition to whitelisting the vendor/partner IPs, and dropping others as mentioned, consider using a vulnerability protection security profile on your security policy to help protect against brute force attacks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
