Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
2
Replies

ssh on outside interface

rbrunne
Level 1
Level 1

‎01-19-2010 01:57 PM - edited ‎03-11-2019 09:58 AM

i know it can be done on my ASA5510 - that's not my porblem - I just need to justify the risks.

I've been trying to hunt down any supporting "Best Practice" documents that state whether it's advisable to allow ssh access from the internet to the outside interface?

Has anyone come across any?

Thx.

Rob

Labels:
0 Helpful
2 Replies 2

Panos Kampanakis
Cisco Employee
Cisco Employee

‎01-19-2010 03:39 PM

Hi  Rob,

I won't be able to answer your question, and I don't think you will find a doc.

I think the reason is that it is not a matter of best practices, it is a matter of necessity. I don't think there is anyone that wants to be able to manage his ASA remotely otherwise, unless he can vpn into it to manage.

The ASA will not allow telnet on the outside lowest security interface anyway, so if you want to manage it you either will use ssh or some kind of vpn. If you don't need to manage it remotely, then best practice is to lock it and disable ssh. In other words I think it is a matter of necessity and not best practice.

Now, to make it more secure the best practise is to allow ssh only for specific management ip addresses that will be used to manage it and also use strong credentials to avoid a password guess attack.

I would be interested if someone has a best practice doc that addresses it.

I hope it helps a little.

Panos

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎01-19-2010 04:32 PM 

rbrunne wrote:
i know it can be done on my ASA5510 - that's not my porblem - I just need to justify the risks. 
I've been trying to hunt down any supporting "Best Practice" documents that state whether it's advisable to allow ssh access from the internet to the outside interface?
Has anyone come across any?
Thx.
Rob

Rob

Have to agree with Panos on this one. I would certainly not be comfortable with allowing any IP address to try and use ssh access to the outside interface. As Panos says you should definitely try and lock it down to specific IPs and have an acl on your border router, if you manage it, that only allows ssh from these specific addresses.

Otherwise you can VPN to the ASA or a more likely scenario you can VPN into a device within your internal network and then manage the ASA from either the inside or management interface. I personally prefer that approach because you are not allowing any external management access direct to your firewall whether it be via ssh or vpn.

I would only use ssh if i could

a) tie it down to specific IPs and preferably

b) have a filter list on an upstream router that only allowed those IPs

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card