Is it safe to allow SSH from internet to DMZ?

Reply
Highlighted
L1 Bithead

Is it safe to allow SSH from internet to DMZ?

We have a server in our DMZ that is allowing from the internet the SSH application via our Palo Alto firewall. The server in the DMZ is very well locked down and the application on the server that facilitates the SSH session is a highly rated 3rd party application that allows vendors to connect to servers in your network. I've read and heard how safe\unsafe SSH is, but I cant find anything that makes itr seem to me any less safe than ipsec vpn or https.

Any thoughts?

Also, I see that the applications for SSH the security rule include:

SSH

SSH-Tunnel

Is there a preference?

 

Thanks.


Accepted Solutions
Highlighted
Cyber Elite

Re: Is it safe to allow SSH from internet to DMZ?

"Is it safe" is going to be a relative term.  I would say it's going to depend on what source on the Internet can come to to SSH to a device in your DMZ.  

 

If your security rule for your DMZ defines a specific source object from the Internet can use the SSH application to SSH to your DMZ server I would say it's safe to allow provided you're using threat signatures.  I would also probably try to establish SSH tunnel decryption for this rule, but that would depend on how much you trust the source devices on the Internet.

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Is it safe to allow SSH from internet to DMZ?

"Is it safe" is going to be a relative term.  I would say it's going to depend on what source on the Internet can come to to SSH to a device in your DMZ.  

 

If your security rule for your DMZ defines a specific source object from the Internet can use the SSH application to SSH to your DMZ server I would say it's safe to allow provided you're using threat signatures.  I would also probably try to establish SSH tunnel decryption for this rule, but that would depend on how much you trust the source devices on the Internet.

View solution in original post

Highlighted
Cyber Elite

Re: Is it safe to allow SSH from internet to DMZ?

Hello,

I agree with @Brandon_Wertz , it depends on the source. With that said, i would create a whitelist that allows only known good trusted sources to access. This would be by IP address, DNS name, etc. Do no do it by Country/region.

 

Remember, if its accessible from the internet, its going to be probed/scanned, and someone will try to break into it.

 

Caution is warranted in the case.

 

Regards,

Highlighted
L4 Transporter

Re: Is it safe to allow SSH from internet to DMZ?

I agree with the above statements that the safety is relative.  In addition to whitelisting the vendor/partner IPs, and dropping others as mentioned, consider using a vulnerability protection security profile on your security policy to help protect against brute force attacks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!