ProxySG & Advanced Secure Gateway

 View Only
Expand all | Collapse all

Intercepting SSH Traffic on SWG

  • 1.  Intercepting SSH Traffic on SWG

    Posted Nov 22, 2021 10:28 AM
    Hi. Does SWG supports intercepting Secure SSH traffic? Our use-case is that we have users accessing some backend services over SSG and because of some internal requirement this traffic needs to go via our SWG to those backend external services.

    Does SWG supports traffic interception over SSH protocol and is recommended to do so on SWG?

    Thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------


  • 2.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 22, 2021 11:16 AM
    anyone? @Slava​​

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 3.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 22, 2021 12:16 PM
    Hi Sulman,

    The SG can't intercept/inspect ssh/sftp traffic in the way as it can for http/https, but you can tunnel it through. This can be in an explicit setup over the http proxy service but you should disable protocol detection. It can also be done transparently by creating a port 22 service (one may already exist) using TCP tunnel with no protocol detection.

    Regards
    Paul


  • 4.  RE: Intercepting SSH Traffic on SWG

    Broadcom Employee
    Posted Nov 22, 2021 12:20 PM
    Hello Sym, 

    The Symantec proxy did not yet implemented the full on SSH engine that is capable of Decrypting the SSH session and looking at what is inside the SSH Session. However the SSH traffic can be picked up by the proxy and you can still control(Allow/Deny)  it via the Web Access Layer Policy based on what we can see from the session such as destination/Source  IP , protocol, port.


  • 5.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 22, 2021 01:45 PM
    Edited by Sulman Mushtaq Mushtaq Hussain Nov 22, 2021 01:45 PM
    @Slava and Paul thanks for your replies. Proxy is deployed in explicit mode.

    There is already a default listener on SWG for SSH with port 22, if we change its action to intercept from bypass, would that be enough or we also need to do any additional configuration on SWG for intercepting SSH traffic?

    Appreciate your feedback. Thanks ​

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 6.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 22, 2021 01:55 PM
    Hello,

    If the proxy is explicit, then the port 22 listener is irrelevant as the traffic will be processed by the http proxy service, usually on port 8080. The SFTP/SSH clients need to be proxy-aware in order to contain the explicit proxy settings.

    Regards
    Paul


  • 7.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 22, 2021 02:02 PM
    Thanks Paul, The WinSCP clients already have Proxy IP and for ports its configured as 22. Is there any additional configuration that needs to be done to tunnel this traffic through SWG apart from changing the SSH listener from bypass to intercept?

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 8.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 22, 2021 02:44 PM
    WINSCP needs to be configured with the same explicit proxy settings as your browsers, not port 22.

    Regards
    Paul


  • 9.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 29, 2021 03:41 AM
    Hi Paul. So basically via the CPL code we disabled protocol detection and disabled authentication for the URL which we want to tunnel via Proxy, allowed that particular URL in the WAL.  Configured WinSCP to use HTTP Proxy and tried to establish the connection but its failing.

    Did a policy trace and can see that protocol detection is working and its not doing SSL interception on that URL.

    I am not sure why its still not working. Any feedback?

    Thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 10.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 29, 2021 05:28 AM
    Hi Sulman,

    If possible, please attached a policy trace and packet capture to this thread.

    Regards
    Paul


  • 11.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 29, 2021 05:34 AM
    Hi Paul, not possible to share those details here. I have opened a support ticket with Symantec. Lets say what they have to say about it.

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 12.  RE: Intercepting SSH Traffic on SWG

    Posted Nov 29, 2021 06:45 AM
    Understood, or perhaps you have an upstream firewall or router that doesn't allow outbound access on port 22 from your proxy.

    Regards
    Paul