Port tunneling or port forwarding, is a useful way to access applications running on a remote computer. Essentially, port forwarding maps an external “port” on an internet-facing IP address to a particular computer on a corporate network. This allows the user to access something on a corporate computer from the internet.
Ports are how computers distinguish between multiple services listening on one computer. In total, there are more than 65,000 different ports, but only about 1,000 are used regularly. The others can be assigned to the devices or applications of your choice, and this process is called port forwarding or port tunneling. To fully understand it, you should also know that, thanks to NAT (Network access translation), all the internal devices share the same external IP address.
Port forwarding is used predominantly by IT administrators and programmers. However, it is also useful for a wide range of computer users, with the most common uses to include:
While many of these tasks can be accomplished without the help of port tunneling, it is often the easiest solution.
Although port tunneling solves all kinds of problems, it can also be dangerous. If you fail to secure a remote desktop connection, for example, someone could log into your computer from afar. This is where SSH port tunneling comes in.
SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications or to implement VPNs and access intranet services across firewalls.
SSH protocol is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow through an encrypted SSH connection so that it cannot be eavesdropped or intercepted while in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.
The secure connection over the untrusted network is established between an SSH client and an SSH server. This SSH connection is encrypted, protects confidentiality and integrity, and authenticates communicating parties.
The SSH connection is used by the application to connect to the application server. With tunneling enabled, the application connects to a port on the local host that the SSH client listens on. The SSH client then forwards the application over its encrypted tunnel to the server. The server then connects to the actual application server—usually on the same machine or in the same data center as the SSH server. The application communication is thus secured, without having to modify the application or end user workflows.
SSH tunnels are widely used in many corporate environments that employ legacy mainframe systems as their application backends having limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS and other standards can be achieved without having to modify applications.
In many cases making code changes to those legacy applications and application servers may be impractical or prohibitively expensive. Source code may not be available, the vendor may no longer exist, the product may be out of support, or the development team may no longer exist. Adding a security wrapper, such as SSH tunneling, has provided a cost-effective and practical way to add security without risking jeopardizing functionality and availability. For example, country-wide ATM networks run using tunneling for security.
Besides the benefits of SSH tunneling, it also creates risks that need to be addressed by corporate IT security teams. Cyber criminals or malware could exploit SSH tunnels to hide their unauthorized communications, or to exfiltrate data from the target network.
There are several widely known and documented cases of malware leveraging the SSH protocol as a means for hiding data exfiltration and command channels. Several instances of malware have been actively collecting SSH keys. Captured and collected SSH keys have also been sold on hacker forums. Combined with attacks based on unmanaged SSH keys, SSH tunneling allows an attacker to utilize stolen SSH keys to gain access and persistent foothold in corporate networks.
A common mode of operation is for the attacker to set up a server outside the corporate network, for example in the cloud. Once the attacker has placed the malware in the target system, they connect to the outside SSH server enabling TCP port forwarding from the external server to an SSH port in the corporate network. Setting up this back-tunnel, the attackers exploit the fact that most organizations permit outgoing SSH connections, especially if they host servers in the cloud.
Attackers also use SSH tunneling attacks to hide their tracks. This allows them to probe for vulnerabilities, try various login credentials, or run attack tools against email, web, and any other protocols. Bouncing an attack through a dozen random devices via encrypted tunnels also carrying other traffic makes adversarial actions virtually untraceable. Akamai documented millions of IoT devices being used in this way.
Countering these risks requires the capability to monitor, control and audit encrypted SSH connections and associated keys. In many cases, users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors which in turn facilitate the launch of successful attacks through the otherwise trusted encrypted tunnels.
Information security starts from controlling who is given access to systems, data and through which channels. Venafi SSH Protect solution safeguards enterprise SSH machine identities and the host-to-host connections they enable by discovering, protecting and automating their lifecycle.
To learn more, download this whitepaper.