Skip to main content
banner image
venafi logo

How Is Port Tunneling Used for SSH Certificates?

How Is Port Tunneling Used for SSH Certificates?

August 12, 2021 | Anastasios Arampatzis

Port tunneling or port forwarding, is a useful way to access applications running on a remote computer. Essentially, port forwarding maps an external “port” on an internet-facing IP address to a particular computer on a corporate network. This allows the user to access something on a corporate computer from the internet.

Ports are how computers distinguish between multiple services listening on one computer. In total, there are more than 65,000 different ports, but only about 1,000 are used regularly. The others can be assigned to the devices or applications of your choice, and this process is called port forwarding or port tunneling. To fully understand it, you should also know that, thanks to NAT (Network access translation), all the internal devices share the same external IP address.

Port forwarding is used predominantly by IT administrators and programmers. However, it is also useful for a wide range of computer users, with the most common uses to include:

  • Hosting game servers for multiplayer gaming.
  • Running remote desktop protocols for accessing corporate computers remotely.
  • Permitting file transfers from a local computer to the outside world.
  • Running a publicly accessible website from a home computer.
  • Hosting your own VPN server that allows you to access your corporate network remotely.

While many of these tasks can be accomplished without the help of port tunneling, it is often the easiest solution.

Although port tunneling solves all kinds of problems, it can also be dangerous. If you fail to secure a remote desktop connection, for example, someone could log into your computer from afar. This is where SSH port tunneling comes in.

What is SSH port tunneling?

SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications or to implement VPNs and access intranet services across firewalls.

SSH protocol is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow through an encrypted SSH connection so that it cannot be eavesdropped or intercepted while in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.

How does it work?

The secure connection over the untrusted network is established between an SSH client and an SSH server. This SSH connection is encrypted, protects confidentiality and integrity, and authenticates communicating parties.

The SSH connection is used by the application to connect to the application server. With tunneling enabled, the application connects to a port on the local host that the SSH client listens on. The SSH client then forwards the application over its encrypted tunnel to the server. The server then connects to the actual application server—usually on the same machine or in the same data center as the SSH server. The application communication is thus secured, without having to modify the application or end user workflows.

Benefits of SSH port tunneling

SSH tunnels are widely used in many corporate environments that employ legacy mainframe systems as their application backends having limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS and other standards can be achieved without having to modify applications.

In many cases making code changes to those legacy applications and application servers may be impractical or prohibitively expensive. Source code may not be available, the vendor may no longer exist, the product may be out of support, or the development team may no longer exist. Adding a security wrapper, such as SSH tunneling, has provided a cost-effective and practical way to add security without risking jeopardizing functionality and availability. For example, country-wide ATM networks run using tunneling for security.

Risks of SSH port tunneling

Besides the benefits of SSH tunneling, it also creates risks that need to be addressed by corporate IT security teams. Cyber criminals or malware could exploit SSH tunnels to hide their unauthorized communications, or to exfiltrate data from the target network.

There are several widely known and documented cases of malware leveraging the SSH protocol as a means for hiding data exfiltration and command channels. Several instances of malware have been actively collecting SSH keys. Captured and collected SSH keys have also been sold on hacker forums. Combined with attacks based on unmanaged SSH keys, SSH tunneling allows an attacker to utilize stolen SSH keys to gain access and persistent foothold in corporate networks.

A common mode of operation is for the attacker to set up a server outside the corporate network, for example in the cloud. Once the attacker has placed the malware in the target system, they connect to the outside SSH server enabling TCP port forwarding from the external server to an SSH port in the corporate network. Setting up this back-tunnel, the attackers exploit the fact that most organizations permit outgoing SSH connections, especially if they host servers in the cloud.

Attackers also use SSH tunneling attacks to hide their tracks. This allows them to probe for vulnerabilities, try various login credentials, or run attack tools against email, web, and any other protocols. Bouncing an attack through a dozen random devices via encrypted tunnels also carrying other traffic makes adversarial actions virtually untraceable. Akamai documented millions of IoT devices being used in this way.

Control your SSH keys

Countering these risks requires the capability to monitor, control and audit encrypted SSH connections and associated keys. In many cases, users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors which in turn facilitate the launch of successful attacks through the otherwise trusted encrypted tunnels.

Information security starts from controlling who is given access to systems, data and through which channels. Venafi SSH Protect solution safeguards enterprise SSH machine identities and the host-to-host connections they enable by discovering, protecting and automating their lifecycle.

To learn more, download this whitepaper.

Related Posts


Like this blog? We think you will love this.
Featured Blog

Using SSH Certificates Instead of SSH Keys

But many organizations are still unsure about the benefits of switching from SSH keys

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more