Manual Chapter : Secure SSH traffic with the SSH Proxy

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Secure SSH traffic with the SSH Proxy

Why use SSH proxy?

Network attacks are increasingly less visible, cloaked in SSL and SSH channels. The SSH Proxy lets network administrators centrally manage the different uses of SSH, determining who can do what on which servers. Additionally, as the feature is a full proxy, terminating both the client and server sides of the connection, it is possible to inspect traffic before passing it on. This prevents attackers from hiding their activities while still providing legitimate users with secure communications.

Challenges and problems that SSH proxy addresses

  • Gives administrators visibility into user command activity in the SSH channel
  • Provides fine-grained control of SSH access commands on a per-user basis
  • Allows segmentation of access control for different users, allowing, for example, one user to download (but not upload) with SCP, while another user can upload and download with SCP allowing SHELL access only to an administrator, and other examples
  • Control over SSH keep-alives that keep a session open indefinitely

Features of SSH Proxy

  • Policy based SSH control capability
  • Fine-grained control of SSH access on a per-user basis
  • Visibility and control of SSH connection
  • By controlling the SSH commands and session, the datacenter administrator can prevent advanced attacks from compromising the datacenter

Current limits of SSH Proxy

  • Supports SSH version 2.0 or above only
  • SSH proxy is supported on a virtual server, not on a route domain or global context
  • SSH proxy auth key size is limited to 4K
  • Elliptical Curve cypher (ECDHE) SSH keys are not supported for authentication

Using SSH Proxy

You can use an SSH Proxy to secure SSH traffic on a virtual server, on a per-user basis. A working SSH proxy implementation requires
  • An SSH proxy profile that defines actions for SSH channel commands
  • A virtual server for the SSH server, configured for SSH traffic, and including the SSH proxy profile
  • Authentication information for the SSH proxy