kantver - Fotolia
Should I allow SSH tunneling connections through the firewall?
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust your users.
Whether or not to allow SSH tunneling depends on the amount of risk one is willing to tolerate. I advise against it.
Savvy end users like to conduct operations via secure shell (SSH) tunneling when firewall rules hinder their access to various remote services. Sometimes a user chooses SSH tunneling when conducting operations from a publicly available Wi-Fi network, such as those located in hotels and coffee shops. One can never be too certain of the encryption level utilized on a public network or of the network's overall security, and SSH tunneling provides the end user an extra layer of encryption.
In many cases, tunneling occurs without the system administrator's knowledge, but you ask whether to explicitly allow it. This depends on your level of risk tolerance. If you allow tunneling, certain end users will perform operations that subvert the firewall infrastructure. I don't recommend this, and here's why:
Let's assume that an end user is attempting to access an explicit site -- for this example, explicitsite.com -- but the site is blocked at the firewall. A traditional SSH tunnel, which uses local port forwarding, connects to a remotely located server outside of the local area network, and therefore beyond the reach of the local firewall, via SSH. This presumes that SSH is capable of passing through the firewall. With the firewall no longer a roadblock, the user configures a remotely located box to forward a local port via the following command:
$ ssh -L 7777:explicitsite.com:80 [email protected]
This tells the remotely located SSH server to forward the local port, or server port, to explicitsite.com:80. At this point, the user just opens a browser on their local machine, and navigates to http://localhost:7777.
What's the harm in this? There is no way for the security or systems administrator to keep track of which site the user is actually accessing; all that appears in a packet capture or the firewall logs is an SSH connection to the remotely located server. No record of the explicit site is available.
Allowing SSH tunneling comes with significant risk to the network. However, if system administrators are certain that the individuals performing these functions are trustworthy and the tunneling enables them to perform their duties more easily and safely, consider allowing it as needed.
