This article can also be found in the Premium Editorial Download "Information Security magazine: 12 security lessons for CISOs they don't teach you in security school."
Download it now to read this article plus other related content.
The overhauled encryption protocol helps harden networks.
SSH is a powerful suite of programs that enable enterprises to harness the power of encryption to protect data in transit. Some security managers shy away from encryption because it can be difficult and costly to implement. But SSHv2, a completely overhauled version of the protocol and often included free with Linux distributions, is a practical option that gives skilled practitioners a versatile tool to enhance confidentiality, integrity, authentication and nonrepudiation.
SSH was created for two fundamental purposes: as a replacement for Telnet and as an encryption tunnel for protecting other protocols. This basic functionality can be leveraged to secure your network in many of the areas in which it's most vulnerable. SSHv2 is more secure and functional than the original protocol, although SSHv1 is still in widespread use.
Applications like Telnet and FTP, which were fine for remote access and file transfers not that long ago, are now security nightmares. Authentication information, like user IDs and passwords, are transmitted in plaintext, and mobile users are connecting to public networks in hotels, airports and coffee shops--an open invitation for stolen IDs. An admin connecting via Telnet or transferring files via FTP is asking for trouble. Ssh, the main program included in the SSHv2 suite, encrypts sensitive data and is a secure replacement for Telnet. The SSH protocol
SSHv2 is reasonably easy to learn; most people with a foundation in networking will quickly grasp its nuances and potential. We'll examine several ways, some of which may surprise you, that you can put SSHv2 to work to protect your networks.
While the SSHv2 contains several programs that directly replace their insecure counterparts, it can also be used to secure applications and protocols such as POP3 and SMTP. These e-mail programs also send sensitive information in the clear, but have no secure replacements. A secure version of POP3 is available, but it's not supported by many e-mail servers or clients.
The SSHv2 solution: Pipe POP3 or any insecure protocols inside a secure SSH tunnel. Obviously, secure POP3 or secure SMTP would be better; with their built--in functionality, they provide the exact service you need, but require considerable expertise to customize. While more generic, SSHv2 provides a more versatile solution that can work with a range of services.
Here's how it's done: Configure the SSHv2 server to allow the connection on the SSH default port 22; no other ports are open. Then, configure the server to allow clients to connect via port 22 to access other network services. Clients would then connect to the network on port 22 and tunnel all permitted services over SSHv2.
VPNs are enormously popular for secure remote access and site-to-site connections. But they require extensive configuration and customized client software. SSHv2 is a viable option for occasions when you need a temporary, versatile VPN.
For example, if you need to transfer several large, sensitive documents between your laptop and a corporate server, an SSH tunnel can be set up so all traffic leaving the computer or network is sent over it. By tunneling all traffic as opposed to a single protocol, SSH can create the same benefit as an IPSec or SSL VPN. Since it's only temporary, there's no need for the cumbersome administration of conventional VPNs.
This was first published in February 2005