Fortinet black logo

Handbook

SSH MITM deep inspection

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:745988
Download PDF

SSH MITM deep inspection

As vulnerabilities of OpenSSH continue to be exposed, it has become necessary to detect such attacks, which requires the ability to decrypt the SSH tunnel to check the data. This feature introduces comprehensive security controls on SSH Man-in-the-Middle (MITM) deep inspections, including:

  • SSH filter profiles to control SSH tunnel types and filtering on SSH shell commands.
  • SSH proxy policies to apply a proxy firewall policy with user authentication on SSH session.
  • Support for SSH tunnel policy to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy. IPS scanning can be applied to the tunneled traffic.
  • Support for SSH trust to detect and prevent SSH MITM attacks.
Syntax
  1. Add SSH related option in ssl-ssh-profile for proxy mode profile
    1. Add option to bypass or block unsupported SSH protocol (Deep scan only supports SSH 2.0)

      config firewall ssl-ssh-profile

      edit <name>

      config ssh

      set unsupported-version {bypass | block}

      next

      end

      end

    2. Add option to enable SSH proxy policy check

      config firewall ssl-ssh-profile

      edit <name>

      config ssh

      set ssh-policy-check {enable | disable}

      set ssh-tun-policy-check {enable | disable}

      next

      end

      end

      note icon

      When SSH proxy policy check is enabled, proxy will check "SSH proxy" policy for SSH traffic and check "SSH tunnel" policy for TCP/IP port forwarding traffic.

    3. Move block/log options for x11-filter/ssh-shell/exec/port-forward to SSH filter profile
  2. SSH filter profile
    1. Support options to block or log x11-filter/ssh-shell/exec/port-forward/sftp

      config ssh-filter profile

      edit <name>

      set block {x11-filter | ssh-shell | exec | port-forward | sftp}

      set log {x11-filter | ssh-shell | exec | port-forward | sftp}

      next

      end

    2. Add Shell command filters

      config ssh-filter profile

      edit <name>

      config shell-commands

      edit <id>

      set type {simple | regex}

      set pattern <cmd-string>

      set action {block | allow}

      set log {enable | disable}

      set alert {enable | disable}

      set severity {low | medium | high | critical}

      next

      end

      set default-command-log {enable | disable}

      end

  3. Allow SSH filter profile to be set for config firewall policy when UTM is enabled.
  4. Support SSH proxy policy for SSH sessions
    1. Add a proxy type ssh into config firewall proxy-policy

      config firewall proxy-policy

      edit <pol-id>

      set proxy ssh

      next

      end

    2. When user/user-group is set in SSH proxy policy, firewall authentication can be done for SSH proxy traffic. Authentication rule for SSH is added:

      config authentication rule

      edit <name>

      set protocol ssh

      next

      end

    note icon

    "Basic" authentication scheme:

    config authentication scheme

    edit "ssh-active"

    set method basic

    set user-database "local" #or LDAP server

    next

    "ssh-publickey" authentication scheme:

    config authentication scheme

    edit "ssh-pkey"

    set method ssh-publickey

    set user-database "local" #or LDAP server

    set ssh-ca "server-ca"

    next

    User name is embedded in ssh-publickey. User group information will be retrieved if the publickey is validated by CA.

    Both "Basic" and "ssh-publickey" authentication scheme:

    config authentication scheme

    edit "ssh-pkey"

    set method basic ssh-publickey

    set user-database "local" #or LDAP server

    set ssh-ca "server-ca"

    next

  5. Support SSH tunnel policy to do access control for TCP/IP port forwarding traffic.
    1. Add a proxy type ssh-tunnel into config firewall proxy-policy

      config firewall proxy-policy

      edit <pol-id>

      set proxy ssh-tunnel

      set action {accept | deny}

      next

      end

    2. Support allow or deny and IPS sensor/app-control the traffic.
  6. Support SSH trust to detect and prevent from SSH MITM attacks
    1. Define trusted SSH hostkey for specific SSH server

      config firewall ssh host-key

      edit <name>

      set status {trusted | revoked}

      set type {RSA | DSS | ECDSA}

      set nid <NID of ECDSA key>

      set ip <ip>

      set port <port>

      set hostname <name>

      set public-key <hostkey>

      next

      end

    2. Define trusted/untrusted CAs for hostkey signing. Any hostkey signed by trust CA is trusted unless the hostkey is revoked.

      config firewall ssh local-ca

      edit <name>

      set password <passwd>

      set public-key <public key>

      set private-key <private key>

      set source {build-in | user}

      next

      end

      note icon

      The system creates two build-in SSH CAs: Fortinet_SSH_CA and Fortinet_SSH_CA_Untrusted. The CAs are used to re-sign a server host key with local host-key using trusted/untrusted CA when the server host key is trusted or untrusted.

    3. Define local hostkey templates for trusted re-signing. Be default, they are generated automatically.

      config firewall ssh local-key

      edit <name>

      set password <passwd>

      set public-key <public key>

      set private-key <private key>

      set source {build-in | user}

      next

      end

      note icon

      The system creates different types of local host keys as default re-signing templates: Fortinet_SSH_RSA2048, Fortinet_SSH_DSA1024, Fortinet_SSH_ECDSA256, Fortinet_SSH_ECDSA384, Fortinet_SSH_ECDSA512, Fortinet_SSH_ED25519, Fortinet_SSH_RSA1024.

      Admin can load their own local host keys and use them for MITM re-signing in config firewall ssh setting.

    4. Per-VDOM SSH settings

      config firewall ssh setting

      set caname <trusted-ca>

      set untrusted-caname <untrusted-ca>

      set hostkey-rsa <hostkey-rsa>

      set hostkey-dss <hostkey-dss>

      set hostkey-ecdsa256 <hostkey-ecdsa256>

      set hostkey-ecdsa384 <hostkey-ecdsa384>

      set ed25519-key <ed25519-key>

      set host-trusted-check {enable | disble}

      end

    note icon

    When a hostkey is trusted and signed by a CA, SSH proxy re-signs appropriate type of hostkey using trusted CA.

    When a host is trusted but not signed, SSH proxy sends back appropriate type of hostkey.

    When a hostkey is untrusted and signed by a CA, SSH proxy re-signs a temporary hostkey (1 hour life time) using untrused CA.

    When a host is trusted but not signed, SSH proxy sends back a temporary hostkey (one hour life time).

SSH MITM deep inspection

As vulnerabilities of OpenSSH continue to be exposed, it has become necessary to detect such attacks, which requires the ability to decrypt the SSH tunnel to check the data. This feature introduces comprehensive security controls on SSH Man-in-the-Middle (MITM) deep inspections, including:

  • SSH filter profiles to control SSH tunnel types and filtering on SSH shell commands.
  • SSH proxy policies to apply a proxy firewall policy with user authentication on SSH session.
  • Support for SSH tunnel policy to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy. IPS scanning can be applied to the tunneled traffic.
  • Support for SSH trust to detect and prevent SSH MITM attacks.
Syntax
  1. Add SSH related option in ssl-ssh-profile for proxy mode profile
    1. Add option to bypass or block unsupported SSH protocol (Deep scan only supports SSH 2.0)

      config firewall ssl-ssh-profile

      edit <name>

      config ssh

      set unsupported-version {bypass | block}

      next

      end

      end

    2. Add option to enable SSH proxy policy check

      config firewall ssl-ssh-profile

      edit <name>

      config ssh

      set ssh-policy-check {enable | disable}

      set ssh-tun-policy-check {enable | disable}

      next

      end

      end

      note icon

      When SSH proxy policy check is enabled, proxy will check "SSH proxy" policy for SSH traffic and check "SSH tunnel" policy for TCP/IP port forwarding traffic.

    3. Move block/log options for x11-filter/ssh-shell/exec/port-forward to SSH filter profile
  2. SSH filter profile
    1. Support options to block or log x11-filter/ssh-shell/exec/port-forward/sftp

      config ssh-filter profile

      edit <name>

      set block {x11-filter | ssh-shell | exec | port-forward | sftp}

      set log {x11-filter | ssh-shell | exec | port-forward | sftp}

      next

      end

    2. Add Shell command filters

      config ssh-filter profile

      edit <name>

      config shell-commands

      edit <id>

      set type {simple | regex}

      set pattern <cmd-string>

      set action {block | allow}

      set log {enable | disable}

      set alert {enable | disable}

      set severity {low | medium | high | critical}

      next

      end

      set default-command-log {enable | disable}

      end

  3. Allow SSH filter profile to be set for config firewall policy when UTM is enabled.
  4. Support SSH proxy policy for SSH sessions
    1. Add a proxy type ssh into config firewall proxy-policy

      config firewall proxy-policy

      edit <pol-id>

      set proxy ssh

      next

      end

    2. When user/user-group is set in SSH proxy policy, firewall authentication can be done for SSH proxy traffic. Authentication rule for SSH is added:

      config authentication rule

      edit <name>

      set protocol ssh

      next

      end

    note icon

    "Basic" authentication scheme:

    config authentication scheme

    edit "ssh-active"

    set method basic

    set user-database "local" #or LDAP server

    next

    "ssh-publickey" authentication scheme:

    config authentication scheme

    edit "ssh-pkey"

    set method ssh-publickey

    set user-database "local" #or LDAP server

    set ssh-ca "server-ca"

    next

    User name is embedded in ssh-publickey. User group information will be retrieved if the publickey is validated by CA.

    Both "Basic" and "ssh-publickey" authentication scheme:

    config authentication scheme

    edit "ssh-pkey"

    set method basic ssh-publickey

    set user-database "local" #or LDAP server

    set ssh-ca "server-ca"

    next

  5. Support SSH tunnel policy to do access control for TCP/IP port forwarding traffic.
    1. Add a proxy type ssh-tunnel into config firewall proxy-policy

      config firewall proxy-policy

      edit <pol-id>

      set proxy ssh-tunnel

      set action {accept | deny}

      next

      end

    2. Support allow or deny and IPS sensor/app-control the traffic.
  6. Support SSH trust to detect and prevent from SSH MITM attacks
    1. Define trusted SSH hostkey for specific SSH server

      config firewall ssh host-key

      edit <name>

      set status {trusted | revoked}

      set type {RSA | DSS | ECDSA}

      set nid <NID of ECDSA key>

      set ip <ip>

      set port <port>

      set hostname <name>

      set public-key <hostkey>

      next

      end

    2. Define trusted/untrusted CAs for hostkey signing. Any hostkey signed by trust CA is trusted unless the hostkey is revoked.

      config firewall ssh local-ca

      edit <name>

      set password <passwd>

      set public-key <public key>

      set private-key <private key>

      set source {build-in | user}

      next

      end

      note icon

      The system creates two build-in SSH CAs: Fortinet_SSH_CA and Fortinet_SSH_CA_Untrusted. The CAs are used to re-sign a server host key with local host-key using trusted/untrusted CA when the server host key is trusted or untrusted.

    3. Define local hostkey templates for trusted re-signing. Be default, they are generated automatically.

      config firewall ssh local-key

      edit <name>

      set password <passwd>

      set public-key <public key>

      set private-key <private key>

      set source {build-in | user}

      next

      end

      note icon

      The system creates different types of local host keys as default re-signing templates: Fortinet_SSH_RSA2048, Fortinet_SSH_DSA1024, Fortinet_SSH_ECDSA256, Fortinet_SSH_ECDSA384, Fortinet_SSH_ECDSA512, Fortinet_SSH_ED25519, Fortinet_SSH_RSA1024.

      Admin can load their own local host keys and use them for MITM re-signing in config firewall ssh setting.

    4. Per-VDOM SSH settings

      config firewall ssh setting

      set caname <trusted-ca>

      set untrusted-caname <untrusted-ca>

      set hostkey-rsa <hostkey-rsa>

      set hostkey-dss <hostkey-dss>

      set hostkey-ecdsa256 <hostkey-ecdsa256>

      set hostkey-ecdsa384 <hostkey-ecdsa384>

      set ed25519-key <ed25519-key>

      set host-trusted-check {enable | disble}

      end

    note icon

    When a hostkey is trusted and signed by a CA, SSH proxy re-signs appropriate type of hostkey using trusted CA.

    When a host is trusted but not signed, SSH proxy sends back appropriate type of hostkey.

    When a hostkey is untrusted and signed by a CA, SSH proxy re-signs a temporary hostkey (1 hour life time) using untrused CA.

    When a host is trusted but not signed, SSH proxy sends back a temporary hostkey (one hour life time).