SSH Proxy - What do I need?
Greetings and thank you for your time. I have a server with an application which uses SSH to communicate with clients. That server can't be updated and presents vulnerabilities in the way it communicates with clients. I need to proxy that service on Big IP and be able to select/restrict ciphers and such so the security scans are clean. I do not need all the functionality of per-user control and such of the SSH_Proxy feature, just a proxy of the SSH connectivity so that proper security is presented client side while keeping the server side "insecure". My questions: Do I need AFM to do this or can this be done strictly through LTM? I watched the F5 Wednesday Whiteboard video on SSH proxy and it mentions that the initial handshake is done from client to server directly and that BigIP kicks in as a man-in-the-middle afterwards. Wouldn't that defeat my requriement of presenting a clean security exchange with the client? Can client authentication (simple username/password, no client cert) be passed through to the backend server or does the SSH user authenticate to BigIP? Essentially I'm looking for a way to do a simply proxy termination for an SSH service with the capability of presenting different ciphers to the client than those received from the server. I don't need to look inside the SSH stream. What would be the best way to accomplish that? Thank you much :) Ben
Limit text-copy in SSHproxy
I have suggested to my employer, that we use SSHproxy in AFM to access network managment tools and devices, instead of the current 2xRDP via jumpstations and then SSH via SecureCRT, but the Security Officer says no on the basis that you could paste files into a text-editor on the receiving end and that way transfer files. Is there a way to limit the amount of data that can be transferred that way? I can see that it is possible to apply an iRule, so perhaps something is possible that way? My suggested setup is: client --vpn--> mgmt-net --> SSHproxy --> mgmt-server --> network-equipment.