Time
54 minutes
Difficulty
Beginner

Video Description

Preventing SSH Tunneling of unwanted traffic while simultaneously allowing normal SSH sessions can be difficult. Enabling SSH decryption exposes SSH Tunneling within SSH sessions to the Palo Alto Networks Security Policy such that it is easy to differentiate between the two types of traffic. This tutorial video highlights both the problem and the solution.

Video Transcription

00:09
Hi, I'm John.
00:11
Today we're going to take a look at how to set up a s S H decryption the block malicious s S H tunnel.
00:18
When we first opened the firewall, we see that we have a rule called Deny Social Media.
00:23
As we have her over and look at the values we conceive were blocking applications like Facebook and other social media sites.
00:30
Okay, so then
00:31
we have a user use Windows seven user
00:34
showing from my VM
00:36
who decides to go ahead and browse to Facebook.
00:39
Do you see him open up and try to go to Facebook
00:42
and it's reset?
00:44
Sure enough, we go back and look at the firewall log, and it's been reset because of policy denying.
00:56
So then now the user thinks he's really clever. It's smart, he's gonna go back and he's gonna close Chrome. It's gonna open up putty to Olympics box, and I'll show you how it's configured it to have an s s H tunnel fording port 10 24 to this latest box.
01:11
So now he logs in and only has to do is build or open the SS H session.
01:18
Then in fire Fox, you can configure a socks proxy, the leverage local those 10 24 whatever port you configure such that all browsing will now traverse the S S H tunnel.
01:30
So now the user's air bypassing the firewall rule, which is called a bad thing.
01:36
So now the firewall administrator, looking at the log now sees there's an SS H session,
01:42
Let's go ahead and create an SS age decryption policy rule to open up that S s H session and see if, by chance, it contains an S S H tunnel.
01:52
If it does that, we can block the S S H Tunnel now that the SS eight session has been decrypted using a security policy rule that block C S S H tunnel.
02:01
So first we create the policy role,
02:05
then we go ahead and create our security policy role to block the S S H tunnel, just like you would in the other security policy rule.
02:13
So this will just take a second
02:28
after that, make sure it's in the right order
02:30
and commit
02:32
now because of session rematch. We shouldn't need to close the user sessions. They'll automatically close, but I went ahead and closed in myself A to buy time while the commit window happens and be to show that once a fresh connection happens, it fails quickly. Instead of waiting for the pre existing session to time out
02:51
now, normally, session rematch would have blocked it. But for the sake of the demo, I went ahead and closed and reopened it.
02:59
So now we're re opening it, walking in
03:01
sessions open.
03:02
Let's go ahead and fire up Firefox.
03:06
And what do we see?
03:10
We're typing facebook dot com,
03:13
and it's just going to continue to spend. Why?
03:16
Because it's being blocked
03:19
so we can see the S S H tunnel is being denied by my security policy rule. So that's it.
03:24
That's how sssh decryption and that's S H tunnels can be blocked.

Up Next