Is it safe to allow SSH from internet to DMZ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is it safe to allow SSH from internet to DMZ?

We have a server in our DMZ that is allowing from the internet the SSH application via our Palo Alto firewall. The server in the DMZ is very well locked down and the application on the server that facilitates the SSH session is a highly rated 3rd party application that allows vendors to connect to servers in your network. I've read and heard how safe\unsafe SSH is, but I cant find anything that makes itr seem to me any less safe than ipsec vpn or https.

Any thoughts?

Also, I see that the applications for SSH the security rule include:

SSH

SSH-Tunnel

Is there a preference?

 

Thanks.

1 accepted solution

Accepted Solutions

L6 Presenter

"Is it safe" is going to be a relative term.  I would say it's going to depend on what source on the Internet can come to to SSH to a device in your DMZ.  

 

If your security rule for your DMZ defines a specific source object from the Internet can use the SSH application to SSH to your DMZ server I would say it's safe to allow provided you're using threat signatures.  I would also probably try to establish SSH tunnel decryption for this rule, but that would depend on how much you trust the source devices on the Internet.

View solution in original post

3 REPLIES 3

L6 Presenter

"Is it safe" is going to be a relative term.  I would say it's going to depend on what source on the Internet can come to to SSH to a device in your DMZ.  

 

If your security rule for your DMZ defines a specific source object from the Internet can use the SSH application to SSH to your DMZ server I would say it's safe to allow provided you're using threat signatures.  I would also probably try to establish SSH tunnel decryption for this rule, but that would depend on how much you trust the source devices on the Internet.

Hello,

I agree with @Brandon_Wertz , it depends on the source. With that said, i would create a whitelist that allows only known good trusted sources to access. This would be by IP address, DNS name, etc. Do no do it by Country/region.

 

Remember, if its accessible from the internet, its going to be probed/scanned, and someone will try to break into it.

 

Caution is warranted in the case.

 

Regards,

L4 Transporter

I agree with the above statements that the safety is relative.  In addition to whitelisting the vendor/partner IPs, and dropping others as mentioned, consider using a vulnerability protection security profile on your security policy to help protect against brute force attacks.

  • 1 accepted solution
  • 5582 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!