Check Point Firewall – Detect SSH over Non Standard Ports

Check Point LogoMany enterprises deploy proxies these days, but many are not aware that if they are not configured correctly, they may be allowing tunneling through certain protocols, and in essence, giving a tech savvy employee the keys to exploit this fault. Most times this is SSH over HTTP/HTTPS, but can also be over other ports, which is less common. Blue Coat proxies detect and drop this type of activity by default, but like I said, all it takes is a few small lines of CPL to override this default blocking (CPL is left out intentionally for the reader to discover), and then the proxy is vulnerable to being bypassed/circumvented by that pesky tech savvy employee using a puTTY terminal. However, since this article is about Check Point, I will move past the proxy and get right to firewall stuffs.

To manage the possible abuse of SSH tunneling over Non Standard ports, Check Point has a Smart Defense profile specifically for this. To start managing this threat, open Check Point Smart Dashboard, and make sure you are on the correct firewall policy you would like to enable this feature on. Click the IDS/Smart Defense tab –> “Application Intelligence” –> “VPN Protocols” –> “Detect SSH over Non Standard Ports”. Activate this to block tunneling ssh proxied or straight through the firewall over non standard ports (ex port 80).

Putty does allow you to proxy so it is possible for someone to setup an ssh server at home listening via port 80. I have done this for proof of concept so protect your company’s data.

Why Bother you ASK?
Most likely your developers are abusing this by already setting this up. I have seen where they will tunnel home and have their own proxy so they do not have to go through the company’s proxy. They can also be using this to work for someone else while you are paying them.

Note: If you are using ssh over non-standard ports for business purposes you can NOT enable this. Newer version of Check Point should be able to define the ports and then detect on others that you consider non-standard.

Remember you can have a firewall but without the correct driver of that firewall you can have a false sense of being secure.