Firewalling! How can you stop a ssh tunnel?

JonJ678 · 18 Nov 2012 at 04:53

Say you have a computer acting as a gateway to the internet. Someone on the local network has root access to a (his) computer, and to a computer on the other side of the gateway.

You've implemented a cheerfully draconian approach to security. Say a "no porn" or "no pirate bay" stance, in UK Government fashion. Unfortunately for you as the gateway owner, everyone with access to Google has come across VPN and ssh tunnels. How can you restrict traffic despite these?

I'm drawing a blank. Routing http(s) traffic over ssh on whatever port you like is trivial. The next level up is forcing everything through a http proxy, in which case corkscrew or similar efforts route ssh through the proxy.

I think the only option is to plead with the user to obey your policies and try to ignore those who don't. However I'm very much a novice with networking and would like to know whether blocking websites hosted in other countries is technically feasible despite the above. Any thoughts?

Shad · 18 Nov 2012 at 09:15

What firewall are you running? I'm still a bit of a n00b with it but having setup a pfSense appliance yesterday I can tell you it will almost certainly do what you want. E.g. country block: http://doc.pfsense.org/index.php/Country_Block

I'm sure you could also use snort to block some of those things too, tunnels/proxies and such like.

Peace · 18 Nov 2012 at 10:02

you most likely need two security tools to successfully stop this access.
The firewall should be set up to block VPN ports outbound from users and only allow http/https.. out from your proxy. A good proxy like Bluecoat for example can identify tunnelling applications (non legit http/https traffic) and denies the access.
All depends how much money you have to spend.
You may be able to do this with Untangle if you are looking for a free option.

KIA · 18 Nov 2012 at 10:39

sshd listening on 443 <3

JonJ678 · 18 Nov 2012 at 12:15

Snort might be able to distinguish https from ssh on the same port, but I can't find anything suggesting this is the case. I can't recall anything in the config files suggesting it would be capable of this either.

Corkscrew walks through bluecoat just as happily as it walks through other proxies, link.

I'm interested in technical feasibility here, not in the relative merits of iptables and packet filter. A proof of concept hack would be fine. Google primarily throws up "look how easy it is to break through firewalls, lolz".

TheKnat · 19 Nov 2012 at 11:14

I think you need a firewall which can inspect applications and also ssl decryption. We use Palo Alto firewalls for this sort of thing at work, but I believe most modern firewall vendors have similar features.

Basically works by decrypting the ssh packet (the clients need to trust a certificate that is installed on the firewall) and it is then able to inspect the actual application so your able to block the ssh tunnel application or allow web traffic.

GhostlyPea · 19 Nov 2012 at 11:28

TheKnat said:
I think you need a firewall which can inspect applications and also ssl decryption. We use Palo Alto firewalls for this sort of thing at work, but I believe most modern firewall vendors have similar features.

Basically works by decrypting the ssh packet (the clients need to trust a certificate that is installed on the firewall) and it is then able to inspect the actual application so your able to block the ssh tunnel application or allow web traffic.

This. Plus of course you need to ensure that your outbound rule base is only allowing connections from the relevant source. If you use a proxy, only allow that outbound on 443. If people don't need SSH out - block it

- GP