SSH tunneling is a method of transporting arbitrary network data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs (virtual private networks) and access intranet services through firewalls.
Introduction
Port forwarding through SSH creates a secure connection between the local computer and the remote machine through which services can be transferred. Because the connection is encrypted, SSH tunneling is useful for transmitting information that uses an unencrypted protocol, such as IMAP, VNC, or IRC.
The Windows SSH tunnel uses port 22 to encrypt data transmitted over a public network (such as the Internet), thereby providing VPN functions. IPsec has end-to-end transport mode, but can also work in tunnel mode through a reliable security gateway.
Definition
A tunnel through SSH is the standard for secure remote logon and file transfers over untrusted networks. It also provides a way to protect the data traffic of any particular application using port forwarding, basically tunneling any TCP / IP port through SSH. This means that the traffic is directed to the stream inside the encrypted SSH connection so that it cannot be tapped or intercepted while it is in transit. SSH tunneling allows you to add network security to legacy applications that do not support encryption.
A secure connection over an untrusted network is established between the SSH client and the SSH server. This SSH connection is encrypted, protects privacy and integrity, and authenticates connecting parties.
The SSH connection is used by the application to connect to the application server. When tunneling is activated, the application communicates with a port on the local host that is listening to the SSH client. The SSH client then redirects the application on top of its encrypted tunnel to the server. The latter connects to the actual application server — usually on the same computer or in the same data center as the SSH server. In this way, application communication is protected without the need to change application workflows or end users.
Tunneling protocols - what is it?
In computer networks, the tunneling protocol allows a network user to access or provide a network service that the core network does not support or does not provide directly. One important application is allowing an external protocol to work on a network that does not support this particular protocol (for example, starting IPv6 over IPv4).
Another important point is the provision of services that are inappropriate or unsafe for use using only basic network services. For example, providing a corporate network address to a remote user whose physical network address is not part of the corporate network. Since tunneling involves repackaging traffic data in a different form, possibly using standard encryption, an important feature is to hide the nature of the traffic that runs through the tunnels.
Secure Shell - Secure Data Transfer
Secure Shell consists of an encrypted tunnel created over an SSH protocol connection. Users can configure SSH tunnels to transmit unencrypted traffic over the network through an encrypted channel. For example, Microsoft Windows computers can exchange files using the Message Server Protocol (SMB), an unencrypted protocol.
If you want to remotely connect the Microsoft Windows file system via the Internet, someone monitoring the connection may see the transferred files. To securely attach a Windows file system, you can install an SSH tunnel that directs all SMB traffic to a remote file server through an encrypted channel. Despite the fact that the SMB protocol itself does not contain encryption, the encrypted SSH channel through which it moves provides security.
Port Forwarding Types
Port forwarding is a widely supported feature found in all major SSH clients and servers. With the SSH port forwarding function, you can transfer various types of Internet traffic through the network. This is used to avoid network snooping or to bypass improperly configured routers on the Internet.
There are three types of port forwarding with SSH:
local - connections from the SSH client are redirected to the SSH server, and then to the target server;
remote - connections from the SSH server are redirected through the SSH client, and then to the target server;
dynamic - connections from various programs are sent through the SSH client, then through the SSH server, and finally to several target servers.
Local port forwarding is the most common type and, in particular, allows you to bypass the company's firewall, which blocks Wikipedia.
Remote port forwarding is less common. Allows you to connect from your SSH server to a computer on your company's intranet.
Dynamic port forwarding is also used infrequently. Lets bypass the firewall of a company that completely blocks access to the Internet. It takes a lot of work to configure, and it is usually easier to use local port forwarding for specific sites that you want to access.
Technical features
To use port forwarding, you need to make sure port forwarding is enabled on your server. You must also provide your client with the source and destination port numbers. If you are using local or remote forwarding, you need to tell the client the destination server. If you use dynamic port forwarding, you will need to configure your programs to use the SOCKS proxy server. Again, how to do this depends on which SSH client you are using, so you may need to read the documentation in more detail.
Implementation examples
The best way to understand how this works is to consider the local redirect example. Imagine that you are on a private network that does not allow you to connect to a specific server. Suppose you are at work and vk.com is blocked. To bypass the lock, we can create a tunnel through a server that is not on our network and thus can access the required resource: $ ssh -L 9000: vk.com: 80 user@example.com.
The key point here is -L, which says that we are doing local port forwarding. The team then reports that we forward our local port 9000 to vk.com:80, which is the default port for HTTP. Now you need to open your browser and go to the address http: // localhost: 9000.
The undeniable advantage of SSH tunnels is that they are encrypted. No one will see which sites you visit - only SSH connections to the server will be visible.
Connecting to a database behind a firewall
Another good example: if you need to access a port on your server, to which it can only be done from the local host, and not remotely.
An example here is the need to connect to a database console, which allows only a local connection for security reasons. Let's say you use PostgreSQL on your server, which by default listens on port 5432: $ ssh -L 9000: localhost: 5432 user@example.com.
The part that has changed here is localhost: 5432, which talks about forwarding connections from your local port 9000 to localhost: 5432 and to your server. Now we can just connect to our database: $ psql -h localhost -p 9000.
Remote Port Forwarding
Now let us explain the operation of remote forwarding using a real example. Suppose you are developing a Rails application on your local machine and want to show it to a friend. Unfortunately, your ISP did not provide you with a public IP address, so it is not possible to directly connect to a PC via the Internet.
Sometimes this can be solved by setting up NAT (network address translation) on your router, but this does not always work, and for this you need to change the configuration of your router, which is not always desirable. This solution also does not work if you do not have administrator access on your network.
To fix this problem, you will need another computer that is publicly accessible and has access to SSH. It can be any server on the Internet if you can connect to it. We will create an SSH tunnel that will open a new port on the server and connect it to the local port on your computer:
$ ssh-R 9000: localhost: 3000 user@example.com
The syntax here is very similar to local port forwarding, with one change from -L to -R. But, as with local port forwarding, the syntax remains unchanged.
Scope and risks
The disadvantage is that any user who can log into the server has the right to enable port forwarding. This is widely used by internal IT professionals to log into their home machines or servers in the cloud, forward the port from the server back to the corporate intranet to their work computer or a suitable server. Hackers and malware can also use it to leave an algorithm defect on the internal network. It can also be used to hide tracks of attackers, by attacking with the help of several devices that allow uncontrolled tunneling.
Tunneling is often used in conjunction with PHP SSH tunnel keys and public key authentication to fully automate the process.
Benefits
Selling SSH tunnels is widely used in many enterprise environments that use mainframe systems as their applications. In these environments, the applications themselves may have very limited support for security. Using tunneling, compatibility with SOX, HIPAA, PCI-DSS and other standards can be achieved without the need for application changes.
In many cases, these applications and application servers are such that making changes to them is likely to be impractical or overly costly. The source code may not be available, the seller may have gone bankrupt, the product may be out of support or the development team is missing. Adding a containment shell, such as the putty SSH tunnel, provides an economical and practical way to add security for such applications. For example, all ATM networks in our country operate using tunneling to ensure security.
The risks
The useful thing, of course, is SSH tunneling. It includes the risks that corporate IT security departments need to address. Free SSH tunnel connections are protected by strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries significant risk if it is used for malicious purposes, such as data filtering.
Cybercriminals or malware can use brute-force SSH tunnels to hide their unauthorized messages or to extract stolen data from the target network.
In an SSH tunnel attack, an attacker installs a server outside the target network (for example, in Amazon AWS). As soon as the fraudster is in the target system, he connects to an external SSH server from the inside. Most organizations allow outbound connections in the Linux SSH tunnel, at least if they have servers in the public cloud. This SSH connection is configured with an option that allows you to forward a TCP port from a port on an external server to an SSH port on a server on the internal network. Configuring this SSH tunnel requires one single-line command inside, and it can be easily automated. Most firewalls practically do not protect against it.