than to support several tools/utilities across multiple systems. Furthermore, the use of SSH as a backup solution, a file server, or for terminal access make it easier for users to learn, adopt, and optimize on a single solution. Lastly, despite the fact that SSH has been so widely adopted by former RSH and Rlogin users, not only for its added security but also primarily because it is easy to use, it still has not carried over to other uses such as SFTP, chat, or backups. This chapter not only demonstrates what many users already know, that SSH is a strong alternative for RSH/Rlogin, but also that SSH is just as easy to use and deploy for other protocols such as FTP, chat, and backups. The use of SSH as a file server and backup solution is just as easy, if not easier, than its use as a secure terminal session. Either through default installations, which install the SFTP subsystem, or additional features such as Rsync, SSH can be a strong solution across multiple disciplines, not just for secure terminal access. In the next chapter, I will shift the focus from SSH flexibility to SSH proxies and how to use an SSH proxy server to access several SSH servers, whether they are SSH terminal sessions or SFTP servers. Also, I will cover the uses of other tools, such as SOCKS and HTTP, in conjunction with SSH. 300 Chapter 8 301 The use of proxy servers in any network environment can simplify the operat- ing environment for end-users. A proxy server is an application that places a request on behalf of another entity. Most proxy servers in use today are Web proxies, where a client machine attempts to access a certain Web server but sends its request to the Web proxy server. The Web proxy server then sends the request to the real Web server on behalf of the client. Once the response is received from the Web server, the proxy server returns the request to the client. The use of proxy technology can also be adapted to the SSH architecture. This chapter focuses on the use of SSH, as I have discussed it thus far, in com- bination with proxy servers, SOCKS, dynamic port forwarding, wireless net- works, and secure Web browsing. These topics allow me to demonstrate another aspect of SSH while demonstrating the ability to optimize and utilize its flexibility. As a result of this chapter, the use of SSH will expand beyond a typical implementation into lesser-known methods of deployment, such as secure Web browsing and secure wireless networks. Using SSH in combination with proxy technologies allows networks to opti- mize the strong security features from SSH with multiple devices and operat- ing systems across an organization’s architecture. The use of proxy technology Proxy Technologies in a Secure Web Environment CHAPTER 9 allows normally insecure sessions to be secure, while providing a single repos- itory for SSH communication. The focuses of this chapter are the following: ■■ SSH and SOCKS ■■ Dynamic port forwarding and SOCKS ■■ Secure Web browsing with SSH ■■ Securing wireless connections with SSH SSH and SOCKS The implementation of SOCKS proxy servers with SSH offers a great solution for network environments. Before I delve into SSH and SOCKS, I’ll quickly examine SOCKS and its primary purposes. SOCKS is a generic proxy protocol able to plug into other protocols, such as SSH, in order to provide security across networking environments. SOCKS uses the typical client/server archi- tecture, where a SOCKS client connects to a SOCKS server. The primary pur- pose of SOCKS is to allow a client on one end of a connection to access one or several hosts on the other end of a connection via the SOCKS server, without the client ever directly connecting to the desired host on the other side. Using this understanding, I will be using SOCKS to allow an SSH client to connect to multiple SSH servers by connecting to a single SOCKS server, which creates a secure communication channel between all clients and servers while reducing the complexity in the network architecture. The primary purpose of installing a SOCKS proxy server is to allow a single entry point for SSH communication, which is then dispersed throughout the rest of the network. For example, let’s say you have installed SSH on all your Web servers for secure remote management and would like to allow access to these Web servers, via SSH, to all your administrators from remote sites out- side the confines of the internal network. Instead of allowing several SSH con- nections through your firewall, which could be 10 to hundreds of connections, you can set up a SOCKS proxy server that can proxy the SSH request to the SSH servers. Figure 9.1 shows the architecture in detail. 302 Chapter 9 Figure 9.1 Use of SOCKS proxy servers with SSH. Figure 9.1 shows a remote client outside the internal network. To allow a remote client to access multiple servers running SSH for management inside an internal network or DMZ networks, you could create a rule in the firewall that would allow access to every Web server or even to several hundred inter- nal servers. Or you could use a SOCKS server to proxy all the requests from the remote clients to the SSH servers, which requires only a single rule in the firewall that would allow all remote clients to the SOCKS server on port 1080. Figure 9.2 shows how this operates. Currently, there are many solutions for SOCKS servers, from large enter- prise SOCKS servers, capable of handling many requests, to very small SOCKS servers, capable of only a limited capacity. For ease of illustration, consider how to install a very simple SOCKS server. The SOCKS server to be demon- strated is SOCKServ, version 2.0, which can be freely downloaded from www.geocities.com/SiliconValley/Heights/2517/sockserv.htm#intro. This is a version 4 SOCKS server. To complete the example described in Figure 9.1, a SOCKS server needs to be installed on 11.17.7.1, ensuring that SSH is listening on all destination servers, including 11.17.7.10, 11.17.7.12, 11.17.7.14, and 11.17.7.16; then SSH clients need to be configured to use SOCKS. Remote Client Router Firewall Internet 11.17.7.1 SOCKS Server 22 11.17.7.10 22 11.17.7.12 22 11.17.7.14 22 11.17.7.16 Proxy Technologies in a Secure Web Environment 303 Figure 9.2 Use of SSH clients with a SOCKS proxy server. To install SOCKServ, complete the following steps: 1. Unzip sockserv2.zip to any folder/directory. 2. Double-click on sockserv.exe. 3. Select the Configure button. a. Ensure that Listen Port is 1080. b. Ensure that Logging is enabled. Remote Client Router Firewall Internet SOCKS Server 22 22 22 22 304 Chapter 9 4. Select OK. 5. Select Start. As shown in Figure 9.3, SOCKServ is now installed and ready for SSH connections. To use the SOCKS server for SSH connections with SecureCRT, complete the following steps: 1. Confirm that a SOCKS version 4 or version 5 server is installed. 2. Open up SecureCRT. Start ➪ Programs ➪ SecureCRT ➪ SecureCRT. 3. From the menu bar, select Options ➪ Global Options. 4. Select the Firewall section. 5. For the Type field, select SOCKS version 4 or version 5, depending on what version you have installed, from the drop-down box. 6. For the Hostname or IP field, enter the IP address or hostname of the SOCKS server. In this example, it is 11.17.7.1. 7. For the port field, enter the port number you have selected for the SOCKS server. The default port is 1080. 8. Select OK. The options should look like Figure 9.4. Figure 9.3 Installed SOCKServ utility. Proxy Technologies in a Secure Web Environment 305 Figure 9.4 SecureCRT SOCKS options. Now that you have SOCKS set up in your global options, you must config- ure each of your SSH connections to use the SOCKS firewall. Doing so will make your SSH request go to the SOCKS server first and will let the SOCKS server go to the server you requested on your behalf. To configure SSH con- nections to use the SOCKS server, compete the following steps: 1. Open SecureCRT, if it is not already open. Start ➪ Programs ➪ SecureCRT ➪ SecureCRT. 2. For new connections, select File from the menu bar and select Quick Connect. For hostname, be sure to enter the hostname or IP address of the destination server you wish to reach, not the SOCKS server. For example, according to Figure 9.1, you could enter 11.17.7.10, 11.17.7.12, 11.17.7.14, or 11.17.7.16. 3. Select the checkbox that states Use firewall to connect. 4. For existing saved connections, select File from the menu bar and select Connect. 5. Highlight the connection you wish to edit; then right-click and select Properties. Be sure to select the connection of the destination sever you wish to reach, not the SOCKS server. For example, according to Figure 9.1, you could select 11.17.7.10, 11.17.7.12, 11.17.7.14, or 11.17.7.16. 6. The Connection section should have information about your saved connections. 306 Chapter 9 7. In the right-hand pane, select the checkbox that states Use firewall to connect. 8. Select OK. The options should look like Figure 9.5. Again, be sure to keep the IP address and hostname fields to your desired destination server. Once the checkbox has been selected to use the firewall option, the SOCKS entry in your global settings will direct your connections to the SOCKS server, which will carry your request to the specified hostname or IP address that you have specified in your connection request. Once the setup has been completed, you should be able to use your SOCKS server, with a sin- gle firewall rule, to access any appropriate SSH enabled server. To use the SOCKS server for SSH connections with SSH Communications’ SSH client, complete the following steps: 1. Open the SSH Secure Client. Start ➪ Programs ➪ SSH Secure Shell ➪ Secure Shell Client. 2. From the menu bar, select Edit ➪ Settings. 3. Select the Firewall section. 4. For the Firewall URL field, enter the IP address or hostname of the SOCKS server, in the following format—socks://host:port. In this example, it is socks://11.17.7.1:1080. Figure 9.5 SecureCRT SOCKS options with saved connections. Proxy Technologies in a Secure Web Environment 307 5. For the SOCKS version field, select SOCKS version 4 or version 5, depending on what version you have installed, from the drop-down box. 6. Select OK. The options should look like Figure 9.6. Now that you have SOCKS set up in your global settings, you must config- ure each of your SSH connections to use the SOCKS firewall. Doing so will make your SSH request go to the SOCKS server first and will let the SOCKS server go to the server you requested. To configure SSH connections to use the SOCKS server, complete the following steps: 1. Open the SSH Secure Client, if it is not already open. Start ➪ Programs ➪ SSH Secure Shell ➪ Secure Shell Client. 2. Select File ➪ Profiles from the menu bar; then select Edit Profiles. 3. Highlight the profile you wish to edit. According to the example in Fig- ure 9.1, it would be the profile for 11.17.7.10, 11.17.7.12, 11.17.7.14, or 11.17.7.16. Be sure to select the connection of the destination server you wish to reach, not the SOCKS server. For example, according to Figure 9.1, you could select 11.17.7.10, 11.17.7.12, 11.17.7.14, or 11.17.7.16. 4. In the right-hand pane, select the checkbox that states Connect through firewall. 5. Select OK. Figure 9.6 SSH Communications’ SOCKS options. 308 Chapter 9 The options should look like Figure 9.7. Now that the SOCKS server is set up on 11.17.7.1 and the SSH clients are configured to use the SOCKS server to access the desired hosts, you can use the SOCKS/SSH architecture. Using your SSH client, SecureCRT, or SSH Com- munications’ SSH client, connect to the desired host (11.17.7.16) with the use of the SOCKS server. (First, ensure that the firewall checkbox is selected.) When the SOCKS server receives the connection, it connects to 11.17.7.16 on your behalf and returns the connection to you. Once you have authenticated, you will have an SSH session via the SOCKS server. Furthermore, the connection between you and the SOCKS server and between the SOCKS server and the desired host is encrypted with SSH. After the session is enabled, you should see the connection in your SOCKServ utility, as shown in Figure 9.8. Figure 9.7 SSH Communications’ SOCKS options under profiles. Proxy Technologies in a Secure Web Environment 309 [...]... however, will also be port-forwarding port 8080 on the SSH client to the SSH server Therefore, any connection made to port 8080 on the local SSH client will be forwarded to the SSH server on port 8080 over the existing SSH tunnel Since the SSH server will be listening for HTTP proxy connections on port 8080, any request made on the SSH client on port 8080 will be forwarded to the HTTP proxy server port,... textbox 10 Select OK Figure 9. 18 shows the configuration in SecureCRT 321 322 Chapter 9 Figure 9. 18 SecureCRT with the HTTP proxy command setting As with other settings using the Firewall option in SecureCRT, be sure to check the “Use firewall to connect” option for each SSH session that you will use through the proxy server See Figure 9. 19 for the checkbox location Figure 9. 19 SecureCRT’s “Use firewall... sends the request to the local port 8080 on the client's lookback address (127.0.0.1) 3 The port forwarded connection takes the web request and forwards to the SSH server over the established SSH tunnel (over port 22) 1 1 SSH client makes a connection to the SSH server while port forwarding port 8080 from the client to the SSH server 6.12.11.30:8080 6.12.11.30:22 4 Forwarded web request reaches the HTTP... 6.12.11.30 See Figures 9. 14 and 9. 15 317 318 Chapter 9 Figure 9. 14 SecureCRT port-forwarding options for proxy connections over port 8080 Figure 9. 15 SSH Communications’ SSH client’s port-forwarding options for proxy connections over port 8080 Proxy Technologies in a Secure Web Environment 4 Save the sessions on the respective SSH clients and connect to the SSH server with the port-forwarding options... When the web browser makes a web request, it sends the request to the local SOCKS server on port 1080 on the client's loopback address (127.0.0.1) 2 3 The dynamic port forwarding connection (the SOCKS server on the client‘s machine) takes the web request and forwards to the SSH server over the established SSH tunnel (over port 22) 1 1 SSH client makes a connection to the SSH server with dynamic port forwarding... Explorer 6 Select Tools from the menu bar; then select Internet Options 7 Select the Connections tab 8 Select the LAN Settings button at the bottom of the section 9 Select the Proxy server checkbox and enter 127.0.0.1 for the Address and 8080 for the Port 10 Select OK See Figure 9. 16 for details Now that you have connected your SSH client to the SSH server (with your port-forwarding options enabled)... to access the SSH server on port 443 The next four rules are in place for port-forwarding reasons Since the remote-access SSH clients will be using the SSH server and port forwarding to access the e-mail, file-sharing, and Web servers, the SSH server will need to be allowed to access all of the other servers Configuration Now that the product selection and architecture have been set up for SSH, it’s... radio button 7 For the HTTP Proxy: section, enter 127.0.0.1 8 For the Port: section, enter 8080 9 Select OK Complete the following steps to set up SSH clients and a Web browser with secure Web communication on a Windows client 1 Open SecureCRT or SSH Communications’ SSH client 2 Configure sessions for the SSH server on 6.12.11.30, on port 22 3 Enter the port-forwarding options to port forward all connections... 172.16.1.200 332 Chapter 10 SSH Case Studies All devices in Figure 10.1 are part of the existing architecture, except for items in italics, which are the VShell SSH server off the perimeter firewall and the installation of VShell on the internal file server With only the need for two additional items, the architecture for remote access with SSH is quite simple In addition to the architecture, the perimeter firewall... Dynamic port forwarding requires additional configuration on clientside applications ■ ■ Some SSH clients do not support dynamic port forwarding Secure Web Browsing with SSH One of the most attractive features of SSH is the ability to surf the information superhighway in a secure fashion, despite the network you are sitting on (for example, the Internet), the protocol that the Web server is using (for example, . port-forwarding port 8080 on the SSH client to the SSH server. Therefore, any connection made to port 8080 on the local SSH client will be for- warded to the SSH server on port 8080 over the existing. appropriate SSH enabled server. To use the SOCKS server for SSH connections with SSH Communications’ SSH client, complete the following steps: 1. Open the SSH Secure Client. Start ➪ Programs ➪ SSH Secure. port forwarding with SOCKS on an SSH client machine, complete the following steps: 1. From the SSH client, connect to the SSH server using the appropriate command-line client: OpenSSH ssh <sshserver>