NimbostratusSSH Proxy - What do I need?
Greetings and thank you for your time. I have a server with an application which uses SSH to communicate with clients. That server can't be updated and presents vulnerabilities in the way it communicates with clients. I need to proxy that service on Big IP and be able to select/restrict ciphers and such so the security scans are clean. I do not need all the functionality of per-user control and such of the SSH_Proxy feature, just a proxy of the SSH connectivity so that proper security is presented client side while keeping the server side "insecure".
My questions:
-
Do I need AFM to do this or can this be done strictly through LTM?
-
I watched the F5 Wednesday Whiteboard video on SSH proxy and it mentions that the initial handshake is done from client to server directly and that BigIP kicks in as a man-in-the-middle afterwards. Wouldn't that defeat my requriement of presenting a clean security exchange with the client?
-
Can client authentication (simple username/password, no client cert) be passed through to the backend server or does the SSH user authenticate to BigIP?
Essentially I'm looking for a way to do a simply proxy termination for an SSH service with the capability of presenting different ciphers to the client than those received from the server. I don't need to look inside the SSH stream. What would be the best way to accomplish that?
Thank you much :)
- Ben
