en-US
search-icon

SonicOS 6.2 Admin Guide

DPI-SSH

Configuring DPI-SSH

DPI-SSH > Configure

DPI-SSH provides deep packet inspection of encrypted information.

* 
NOTE: Gateway Anti-Spyware service doesn’t work for DPI-SSH because TCP streams for Anti-Spyware are not supported. If the checkbox is checked the system takes no action.
Topics:  

About DPI-SSH

Deep Packet Inspection (DPI) technology allows a packet filtering-firewall to classify passing traffic based on signatures of the Layer 3 and Layer 4 contents of the packet. DPI also provides information that describes the contents of the packet’s payload (the Layer 7 application data). DPI is an existing SonicOS feature that examines the data and the header of a packet as it passes through the SonicWall firewall, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination for action or other tracking.

SSH (Secure Shell) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. SSH connects, via a secure channel over an insecure network—a server and a client running SSH server and SSH client programs, respectively. The protocol distinguishes between two different versions, referred to as SSH-1 and SSH-2. SonicWall only supports SSH-2; SSH-1 sessions are not intercepted and inspected.

 
* 
NOTE: SSH clients with different version numbers cannot be used at the same time.f

To effectively inspect an encrypted message, such as SSH, the payload must be decrypted first. DPI-SSH works as a man-in-the-middle (MITM) or a packet proxy. Any preset end-to-end communication is broken, and pre-shared keys cannot be used.

DPI-SSH divides the one SSH tunnel into two tunnels as it decrypts the packets coming from both tunnels and performs the inspection. If the packet passes the DPI check, DPI-SSH sends the re-encrypted packet to the tunnels. If the packet fails the check, it’s routed to another destination, based on the policies, or submitted for collecting statistical information, and DPI-SSH resets the connection.

Supported Clients/Servers and Connections

SSH is not a shell, but a secure channel that provides different services over this channel (tunnel), including shell, file transfer, or X11 forwarding.

DPI-SSH supports both route mode and Wire Mode. For Wire Mode, DPI-SSH is only supported in the secure (active DPI of inline traffic) mode. For route mode, there is no limitation.

SSH supports different client and server implementations, as listed in the Supported clients/servers table.

Supported clients/servers

DPI-SSH Client Supported

DPI-SSH Servers Supported

SSH client for Cygwin

SSH server on Fedorz

Putty

SSH server on Ubuntu

secureCRT

 

SSH on Ubuntu

 

SSH n centos

 

SFTP client on Cygwin

 

SCP on Cygwin

 

Winscp

 

DPI-SSH supports up to 250 connections.

Supported Key Exchange Algorithms

DPI-SSH supports these key exchange algorithms:

Diffie-Hellman-group1-sha1
Diffie-Hellman-group14-sha1
ecdh-sha2-nistp256

DPI-SSH supports DSA keys on the client side and RSA keys on the server side.

Caveats

If there is already an SSH server key stored in the local machine, it must be deleted. For example, if you already SSH to a server, and the server DSS key is saved, the SSH session fails if the DSS key is not deleted from the local file.

The ssh-keygen utility cannot be used to bypass the password.

Putty uses GSSAPI. This option is for SSH2 only, which provides stronger encrypted authentication. It stores a local token or secret in the local client and server for the first time communication. It exchanges messages and operations before DPI-SSH starts, however, so DPI-SSH has no knowledge about what was exchanged before, including he GSSAPI token. DPI-SSH fails with the GSSAPI option enabled.

On the client side, either the SSH 2.x or 1.x client can be used if DPI-SSH is enabled. Clients with different version numbers, however, cannot be used at the same time.

Gateway Anti-Spyware and Application Firewall inspections are not supported even if these options are selected in the DPI-SSH > Configure page.

Activating Your DPI-SSH License

DPI-SSH is fully licensed by default, but you need to activate your license. When you first select DPI-SSH > Configure, you receive the message: Upgrade Required.

If the upgrade isn’t required, skip to Configuring DPI-SSH.

To activate your license:
1
Click on the link to Activate your SonicWall DPH SSH License. The Licenses > License Management page displays.

2
Log into MySonicWall using your credentials. The License > License Management page displays all services and indicates which ones are licensed.

3
Find Deep Packet Inspection for SSH (DPI-SSH).
4
Click Enable.
5
Select Continue. The status for Deep Packet Inspection for SSH (DPI-SSH) now shows Licensed.

Configuring DPI-SSH

Topics:  

Configuring Client DPI-SSH Inspection

You configure Client DPI-SSH inspection in the General Settings section of DPI-SSH > Configure.

To enable Client DPI-SSH inspection:
1
In the General Settings section, select the Enable SSH Inspection checkbox. This option is not selected by default.
2
Select one or more types of service inspections; none are selected by default:
Intrusion Prevention
Gateway Anti-Virus
Gateway Anti-Spyware
* 
NOTE: Gateway Anti-Spyware service doesn’t work for DPI-SSH because TCP streams for Anti-Spyware are not supported. If the checkbox is checked the system takes no action.
Application Firewall
3
Click Accept.

Customizing Client DPI-SSH Inspection

By default, when DPI-SSH is enabled, it applies to all traffic on the firewall. You can customize to which traffic DPI-SSH inspection applies in the Inclusion/Exclusion section.

To customize DPI-SSH client inspection:
1
Go to the Inclusion/Exclusion section of the DPI-SSH > Configuration page.
2
From the Address Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSH inspection. By default, Exclude is set to None and Include is set to All.
3
From the Service Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSH inspection. By default, Exclude is set to None and Include is set to All.
4
From the User Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSH inspection. By default, Exclude is set to None and Include is set to All.
5
Click Accept.