SSH tunneling control

SSH decryption to prevent non SSH applications

bypass firewall

Palo Alto Networks

3300 Olcott Street .
Santa Clara, CA 95054
408.753.4000
www.paloaltonetworks.com
Table of Contents
Overview............................................................................................................................................. 3
Hardware and software requirements ................................................................................................ 3
Implementation details ....................................................................................................................... 3
Key generation ................................................................................................................................ 3
Supported ciphers ........................................................................................................................... 4
Supported message authentication functions ................................................................................ 4
Supported firewall modes of operation ........................................................................................... 4
Configuring SSH decrypt rule ............................................................................................................. 4
Case1: Server and Client uses SSH v2.......................................................................................... 5
Case2: Server and Client uses SSH v1.......................................................................................... 5
Case3: Server supports both SSH v1 and v2, client supports only SSH v1 .................................. 6
Case 4: Client and server use unsupported encryption and MAC methods .................................. 6
Verification .......................................................................................................................................... 6
Summary ............................................................................................................................................ 7

2010 Palo Alto Networks Page 2

Overview
The Secure Shell (SSH) is a protocol for secure remote login and other secure network services
over an insecure network. SSH allows tunneling, which can be used to subvert firewalls and
breach security policies. Users can "sneak through" a firewall by hiding applications that the firewall
would normally block, wrapping them inside a SSH tunnel.
With SSH tunneling control PAN-OS firewalls can be configured to decrypt SSH traffic and detect
when SSH port forwarding is used, thereby denying applications that are tunneled inside SSH. This
feature does not provide any control of apps or threats within the tunnel.

Hardware and software requirements

PA-200, PA-500, PA-2000 series, P-4000 series and PA-5000 series of firewalls
PAN-OS 4.0 and later

Implementation details
The PAN-OS firewalls act as the man-in-the-middle, proxying the SSH connections in order to
decrypt them. The current implementation supports only SSH v2. The diagram below shows a high
level overview of a firewall proxying the SSH connection.

Key generation
The key used for decryption is auto generated when the firewall boots up. During the bootup the
firewall checks to see if there is an existing key. If not, a key is generated. This key will be used for
decrypting SSH sessions for all VSYS configured on the device. The same key will be for
decrypting all SSH v2 sessions

2010 Palo Alto Networks Page 3

Supported ciphers
AES128 CTR, AES196 CTR, AES256 CTR, AES128 CBC, AES192 CBC, AES256 CBC

Supported message authentication functions

HMAC-MD5, HMAC-SHA1, HMAC-MD5-96, HMAC-SHA1-96, HMAC-RIPEMD128, HMAC-
RIPEMD160

Supported firewall modes of operation

Vwire, Layer2, Layer3, active-passive and active-active HA.

Note: In a HA cluster, the keys are synchronized between devices. The client will not be prompted
to accept new keys when a device in a cluster fails.

Configuring SSH decrypt rule

There are two applications that are required in order to use this feature:
1. SSH: Includes SSH, SCP and SFTP. All of these apps will be identified as SSH.
2. SSH-Tunnel: Includes all applications other than those listed under SSH.

In order to prevent SSH tunneling, a security rule with the application SSH-Tunnel and the action,
deny must be configured. A SSH decryption rule to decrypt traffic is also required. In the example
shown below, a security policy to deny a SSH tunnel between any hosts is created. Also a SSH
decrypt rule, with the option to permit traffic in case the session cannot be decrypted, is defined.

Security Policy

Decrypt Rule

2010 Palo Alto Networks Page 4

 Case1: Server and Client uses SSH v2
Any password authenticated SSH connections between a client and server using version2 can be
decrypted. PAN OS does not support decryption for key-based authenticated sessions
In the case where the client has cached the server key and tires to establish a SSH session, the
client is required to change the known-host file to remove the old key in order for SSH to work.
Shown below is a screen shot of a Secure CRT client connecting to a server, with a PA firewall in
the middle configured for SSH decryption.

Case2: Server and Client uses SSH v1

If the server and client support only SSH v1, the SSH decrypt rule can be configured to either drop
or skip SSH decryption of the connection. If the rule is configured to allow, when the client initiates
a SSH v1 connection, the server and client IP addresses will be added to the exclude cache in
order to bypass decryption. Once the client and the server IP addresses are in the cache, all
subsequent SSH connections between this pair of hosts will be exempt from SSH decryption.
During the process of adding the client and server IPs to the exclude cache, the first connection
attempt will fail. The firewall monitors the server response to verify that the server supports only
version1 before adding it to the exclude cache. The client will have to reinitiate the connection to
the server. The exclude cache can be viewed using the command show system setting
ssl-decrypt exclude-cache. The default timeout of the cache is 43200 seconds. This
is not user configurable.

admin@PM-PA-2020> show system setting ssl-decrypt exclude-cache

VSYS SERVER APP TIMEOUT REASON DECRYPTED_APP
1 10.2.133.3:22:10.16.0.34 ssh 43023 SSH_UNSUPPORTED_VERSIONssh

The cache can be cleared using the operational command debug dataplane reset
ssl-decrypt exclude-cache

2010 Palo Alto Networks Page 5

Case3: Server supports both SSH v1 and v2, client supports only SSH v1
Should the server respond indicating support for both SSHv1 and 2 in response to a client
connection request using only SSHv1, the firewall drops the connection. This behavior prevents the
possibility of a client using a SSHv1 tunnel to bypass the firewall. If this connection were added to
the exclude-cache, the client could later change the version to SSHv2 and bypass SSH tunnel
inspection. The connection between this client and server would be in the exclude-cache for
43200 seconds and this flow would be exempt from decryption.

Case 4: Client and server use unsupported encryption and MAC methods
In the case where the cipher and MAC arent supported, the decrypt rule can be set to either drop
connections or bypass them. If set to allow and decrypt fails, the source and destination IP address
pair is added to the exclude cache.

Verification

The firewall sessions that are subject to decryption are identified by an asterisk. To view specific
sessions you can use the filter match * as shown below. Note the asterisk is used to identify both
the SSL and SSH decrypted sessions.

admin@PA-2020> show session all | match *

36496 ssh ACTIVE FLOW * 10.16.0.34[54618]/trust/6
(10.16.0.34[54618])

Traffic logs for the sessions subject to decryption can be viewed from the traffic logs under the
Monitor section.

2010 Palo Alto Networks Page 6

Troubleshooting Tip: If the SSH decrypt rule Block if decrypt failed is set to YES, no logs are
generated for dropped sessions. There will be a firewall session created even though the flow is
dropped because of the decrypt failure. From the end user point of view, the connection will appear
to timeout

Summary
The fundamental architecture of Palo Alto Networks next-generation firewalls provides network
security by enabling enterprises to see and control applications, users, and content not just ports,
IP addresses, and packets using three unique identification technologies: App-ID, User-ID, and
Content-ID. These features are complimented by robust hardware which is designed to provide
separation of control plane and data plane This separation ensures highly available management,
high speed logging and route updates, while the dataplane does all the security processing.
Combined with features like SSH tunnel control , they reinforce security in the network.

2010 Palo Alto Networks Page 7