Appeared in Proceedings of the 2001 International Conference on Electrical, Electronics, Communication and Information CECI 2001, Jakarta, Indonesia, March 7-8, 2001, pp IT39–IT43 Indonesian Society on Electrical, Electronics, Communication and Information (IECI) – ISBN : 979-8575-02-4 Firewalling a Secure Shell Service Agung Prasetijo 1 , Mark Looi 2 , Andrew Clark 2 , Gary Gaskell 2 , Paul Ashley 3 , and Joris Claessens 4 1 Dept. of Electrical Engineering, Fac. of Engineering, Diponegoro University, Jl. Prof. H Soedarto, S.H. Tembalang, Semarang, Indonesia. Email: prasetij@alumni.undip.ac.id 2 Information Security Research Centre, School of Data Communications, Queensland University of Technology, GPO BOX 2434, Brisbane, Australia. Email: {mlooi, aclark, gaskell}@isrc.qut.edu.au 3 Tivoli, Security Business Unit, 9020 Capital of Texas Hwy, Great Hills Corporate Center, Building 1, suite 270, Austin, TX 78759, United States of America. Email: paul_ashley@tivoli.com 4 COmputer Security and Industrial Cryptography (COSIC), Dept. of Electrical Engineering, Katholieke Universiteit Leuven, Kasteelpark Arenberg 10, 3001 Leuven-Heverlee, Belgium. Email: joris.claessens@esat.kuleuven.ac.be Abstract– The security threats to networked systems have increased. The demand for accessing hosts remotely in a secure manner is therefore also increasing. In order to meet this demand, many users and network administrators use the Secure Shell (SSH) service. However, the SSH system may be configured with insecure defaults. A proxy in-between an SSH server and its clients is one possible way to enforce an organisation’s security policy while allowing such users and network administrators to continue to use the service. The proxy presented here has been developed from the SSH version 1 (SSH-1) source code and it helps network managers to enforce a desirable policy, such as allowing the use of strong authentication methods and avoiding security flaws in the server configuration. Keywords– Authentication, firewall, proxy, security, SSH I. INTRODUCTION ccessing or managing hosts remotely often involves the use of the Telnet [6] or Rlogin [3] services. By using these services, users may remotely access hosts that have such services enabled. Unfortunately, both Telnet and Rlogin services do not provide confidentiality, authentication or integrity of information, as these tools do not use any cryptography. The secure Shell (SSH) service, instead, has the capability of providing data confidentiality (using encryption), and data authentication (using a Message Authentication Code or MAC), and entity authentication (using cryptographic authentication) to protect all messages as they travel across untrusted networks. The SSH system has been developed by the Helsinki University of Technology [5]. It provides a number of strong authentication methods such as RSA (public key) based authentication. Moreover, its source code is extensible for new authentication methods, such as Kerberos [4] authentication and the TIS [8] challenge- response authentication method. The function of secure tunneling in the SSH service is a useful tool as it allows users and network administrators to access hosts in a remote networks using any application protocol in a secure manner. This has led to a significant increase in demand for the SSH service. However, the use of the SSH service may increase security risk if it is poorly configured. Allowing password authentication, for example, instead of using other stronger authentication methods in a highly secure environment will reduce the overall security. Password authentication is protected by encryption, however, an attacker may attempt to slowly guess user passwords. Users are known to use poor passwords [2]. Hence, it may be expected that a password guessing attack might succeed. Likewise, with empty passwords in the SSH server configuration enabled, users may log in to the system without providing any password. This will increase the chance of unauthorised users gaining access. As the threat to information systems is increasing along with the popularity of the SSH service, restricting the SSH service is becoming important to provide the availability of an SSH service without sacrificing the system security. A proxy is a practical way to enhance the security of the SSH service. The SSH proxy may enforce the network security policy. It may require a stronger authentication method to be used, enforce port and X11 tunneling policy, and eliminate weak SSH configuration issues of SSH servers behind the proxy. The outline of this paper is as follows: the next section gives an overview of the SSH protocol. It explains how the SSH is structured and how it provides session-based security services. The paper will then describe how the SSH service is employed in a corporate network and how an SSH proxy can contribute to the security of the SSH service. In the next section, a prototype of an SSH proxy is presented. This is followed by an analysis of outstanding issues learnt from developing that prototype. A