|
"Implementing SSH" by Himanshu Dwivedi, published by John Wiley
and Sons in October 2003, is a tactical guide to installing,
implementing, optimizing, and supporting SSH in order to secure
your network.
Himanshu Dwivedi, Security Architect for @Stake, explains how
Secure Shell provides the core requirements for better network
security: authentication, authorization, encryption, integrity,
and auditing. He also lays out ways to optimize the protocol
for security and functionality on UNIX, Windows, and network
architecture environments. Dwivendi explores imlementations
by VanDyke Software, SSH Communications, and OpenSSH.
Incorporating architectural examples and case studies, the book
focuses on acquiring the necessary skills to:
- Replace nonsecure protocols such as Telnet, Rlogin, and FTP.
- Use Secure Shell on network devices otherwise managed by Telnet.
- Explore remote access solutions, including the concept,
setup, and configuration of port forwarding.
- Take advantage of features such as secure e-mail, proxy,
and dynamic port forwarding.
- Employ Secure Shell as a lightweight alternative to VPNs.
- Use Secure Shell to secure Web browsing and as a secure
wireless (802.11) solution.
Recently we sat down with Himanshu Dwivedi to discuss why he
felt the book was needed and what he'd like to see improved in the
protocol and its implementations, Here is his perspective.
| VanDyke: |
What prompted you to write a book about Secure Shell? |
| Dwivedi: |
My primary purposes in writing the book were:
- The extension flexibility, use, and security that SSH offers
(it can do everything securely!!!).
- The wide variety of solutions that SSH can offer, such secure
remote access, secure management, secure email, secure
wireless, secure file access and secure web browsing -- all
with one single, easy-to implement solution.
- The lack of usage knowledge -- both by users who are aware
of SSH but not its extension use (it is not just secure
Telnet), and users who are not aware of it at all and could
benefit from its security and extensive functionality.
|
 |
|
| VanDyke: |
Do you consider Secure Shell a viable, software-only alternative to hardware-based VPNs? |
| Dwivedi: |
Yes, most definitely. Even though SSH does not provide access to a remote virtual
network the way hardware-based IPSec solutions do, it can offer secure e-mail,
secure file transfer, secure web traffic (external and internal), and secure
Windows (SMB) and UNIX (NFS) file servers. Those services are basically all
you want to offer remote users anyway. Hardware-based VPNs usually allow
access to everything on the network, which may not be the best idea, especially
if the remote user has a virus or worm on their machine. The easy of use
of SSH, as well as its secure and very functionally remote access capabilities
make it a very easy and flexible solution to deploy. |
|
|
| VanDyke: |
The core drafts of the SSH2 protocol have been approved by the IETF working group and are being edited for RFC publication. What would you most like to see in the next version of the protocol? |
| Dwivedi: |
Good question. There would be a couple things. One would be stronger (better) support for UDP port forwarding. While UDP port forwarding is rarely needed, the ability to port forward DNS (UDP 53) would allow many organizations to provide secure end-to-end web browsing for SSH users. Also, while SSH is the superior remote access solution to work over NAT (Network Address Translation), it would be nice if some remote DHCP address functionality was built in to provide users of SSH more functionality of the services they could offer to SSH clients. Currently, in a NATed environment, there is no way to know what the local IP address of the machine making the connection is. If the protocol could query the machine and pass the actual IP address to the server during authentication, you'd gain another factor beyond the password, public key, or smart card. |
|
|
| VanDyke: |
We've been counseling customers to "turn off Telnet and FTP" for years.
Now the rapid growth of wireless PC connectivity has highlighted the security
issues of the 802.11 or WiFi standard. How applicable do you think Secure Shell
is as a means to secure WiFi traffic, in corporate, campus, home, and/or public
settings? |
| Dwivedi: |
It depends on a variety of things, but setup and understanding is key. Setting up SSH for secure WiFi traffic at home or in a corporate setting can be done today with SSH, as I describe in Chapter 9. The most common argument against deploying SSH by many administrators, dealing with WiFi or not, is its setup and management requirements. Nevertheless, if an organization is aware of the flexibility of port forwarding, especially dynamic port forwarding, a single Secure Shell server can secure any WiFi connection on a corporate campus or even at home.
So, while the initial setup is not just "plug and play", once it has
been completed, the SSH-secured WiFi connection usually does not
need much in the way of ongoing
support. Furthermore, Secure Shell as a WiFi security solution is cheaper and
easier to setup than other VPN solutions, and does not require a major architectural
change in the network. This is a major advantage for many large organizations
that need to provide secure wireless without overhauling their network.
|
|
|
| |
Implementing SSH : Strategies for Optimizing the Secure Shell,
Himanshu Dwivedi, New York: John Wiley & Sons. Paperback 408p.
ISBN: 0-471-45880-5.
About the Author
HIMANSHU DWIVEDI is Managing Security Architect for @stake, the leading provider of digital security services. He is also a security training leader for the @stake Academy, and has published two books on storage security. His professional experience includes application programming, security consultancy, and secure product design with an emphasis on secure network architecture and server risk assessment. |
|
