Today we're going to take a look at how to set up a s S H decryption the block malicious s S H tunnel.
When we first opened the firewall, we see that we have a rule called Deny Social Media.
As we have her over and look at the values we conceive were blocking applications like Facebook and other social media sites.
we have a user use Windows seven user
who decides to go ahead and browse to Facebook.
Do you see him open up and try to go to Facebook
Sure enough, we go back and look at the firewall log, and it's been reset because of policy denying.
So then now the user thinks he's really clever. It's smart, he's gonna go back and he's gonna close Chrome. It's gonna open up putty to Olympics box, and I'll show you how it's configured it to have an s s H tunnel fording port 10 24 to this latest box.
So now he logs in and only has to do is build or open the SS H session.
Then in fire Fox, you can configure a socks proxy, the leverage local those 10 24 whatever port you configure such that all browsing will now traverse the S S H tunnel.
So now the user's air bypassing the firewall rule, which is called a bad thing.
So now the firewall administrator, looking at the log now sees there's an SS H session,
Let's go ahead and create an SS age decryption policy rule to open up that S s H session and see if, by chance, it contains an S S H tunnel.
If it does that, we can block the S S H Tunnel now that the SS eight session has been decrypted using a security policy rule that block C S S H tunnel.
So first we create the policy role,
then we go ahead and create our security policy role to block the S S H tunnel, just like you would in the other security policy rule.
So this will just take a second
after that, make sure it's in the right order
now because of session rematch. We shouldn't need to close the user sessions. They'll automatically close, but I went ahead and closed in myself A to buy time while the commit window happens and be to show that once a fresh connection happens, it fails quickly. Instead of waiting for the pre existing session to time out
now, normally, session rematch would have blocked it. But for the sake of the demo, I went ahead and closed and reopened it.
So now we're re opening it, walking in
Let's go ahead and fire up Firefox.
We're typing facebook dot com,
and it's just going to continue to spend. Why?
Because it's being blocked
so we can see the S S H tunnel is being denied by my security policy rule. So that's it.
That's how sssh decryption and that's S H tunnels can be blocked.