ssh on outside interface

Unanswered Question
Jan 19th, 2010

i know it can be done on my ASA5510 - that's not my porblem - I just need to justify the risks.

I've been trying to hunt down any supporting "Best Practice" documents that state whether it's advisable to allow ssh access from the internet to the outside interface?

Has anyone come across any?

Thx.

Rob

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Tue, 01/19/2010 - 15:39

Hi  Rob,

I won't be able to answer your question, and I don't think you will find a doc.

I think the reason is that it is not a matter of best practices, it is a matter of necessity. I don't think there is anyone that wants to be able to manage his ASA remotely otherwise, unless he can vpn into it to manage.

The ASA will not allow telnet on the outside lowest security interface anyway, so if you want to manage it you either will use ssh or some kind of vpn. If you don't need to manage it remotely, then best practice is to lock it and disable ssh. In other words I think it is a matter of necessity and not best practice.

Now, to make it more secure the best practise is to allow ssh only for specific management ip addresses that will be used to manage it and also use strong credentials to avoid a password guess attack.

I would be interested if someone has a best practice doc that addresses it.

I hope it helps a little.

Panos

Jon Marshall Tue, 01/19/2010 - 16:32

rbrunne wrote:

i know it can be done on my ASA5510 - that's not my porblem - I just need to justify the risks.

I've been trying to hunt down any supporting "Best Practice" documents that state whether it's advisable to allow ssh access from the internet to the outside interface?

Has anyone come across any?

Thx.

Rob

Rob

Have to agree with Panos on this one. I would certainly not be comfortable with allowing any IP address to try and use ssh access to the outside interface. As Panos says you should definitely try and lock it down to specific IPs and have an acl on your border router, if you manage it, that only allows ssh from these specific addresses.

Otherwise you can VPN to the ASA or a more likely scenario you can VPN into a device within your internal network and then manage the ASA from either the inside or management interface. I personally prefer that approach because you are not allowing any external management access direct to your firewall whether it be via ssh or vpn.

I would only use ssh if i could

a) tie it down to specific IPs and preferably

b) have a filter list on an upstream router that only allowed those IPs

Jon

Actions

This Discussion