Zorp's SSH proxy uses man-in-the-middle technique to decrypt and terminate the SSH connections on the firewall. It separates the connections into two parts and inspects all traffic, so that no data can be directly transferred between the server and the client. Zorp supports exclusively the SSH-2 protocol, but owing to the widespread use and availability of SSH-2 implementations, this does not mean any hindrance. The general capabilities of Zorp's SSH proxy are summarized below.
Protocol inspection : All traffic is inspected and only permitted across the firewall if it fully complies to the SSH-2 protocol. This feature of Zorp provides effective protection against a great number of attacks exploiting vulnerabilities of server and client applications, including buffer overflow vulnerabilities.
Verify encryption method : Zorp can also control the internal parameters of the connections, allowing it to enforce the use of selected encryption methods (cipher type, key length, etc.), thus provide protection against downgrade attacks.
Control user authentication : The different authentication methods can be separately enabled or disabled, e.g.: it is possible to enforce the use of strong authentication methods by completely disabling password based authentication. User-level filtering and access control can also be performed. Although this can obviously be done on the servers themselves, Zorp as an external device provides these features reliably even if the server or the client machines get compromised.
Control of SSH channels : Zorp has full control over the SSH channels, i.e. it can be specified which channels are allowed to and from a given server or in a given connection. For instance, file transfer, port forwarding, or X forwarding can be separately enabled/disabled based on various criteria.
Disable agent forwarding : Zorp can disable agent forwarding, thus prevent that the keys used in the internal network become accessible on external machines.
Control remote command execution : Zorp is able to fully inspect the SSH protocol, thus it can be specified which commands are allowed, which ones are disabled. More sophisticated decisions can also be made based on the parameters of the session, e.g.: to allow the execution of a command only to certain users, etc.
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu