...get a commercially supported UNIX® Secure Shell server.

...replace nonsecure Telnet.

...replace nonsecure FTP.

...securely transfer files with simple drag and drop.

...connect from the road to check email.

...remotely access machines over the Internet.

...allow users to transfer files with limited access.

...lock down my firewall.

...automate or script secure file transfers.

...protect my private data.

...use strong encryption.

...connect using a variety of terminal emulations.



"Implementing SSH" by Himanshu Dwivedi, published by John Wiley and Sons in October 2003, is a tactical guide to installing, implementing, optimizing, and supporting SSH in order to secure your network.

Himanshu Dwivedi, Security Architect for @Stake, explains how Secure Shell provides the core requirements for better network security: authentication, authorization, encryption, integrity, and auditing. He also lays out ways to optimize the protocol for security and functionality on UNIX, Windows, and network architecture environments. Dwivendi explores imlementations by VanDyke Software, SSH Communications, and OpenSSH.

Incorporating architectural examples and case studies, the book focuses on acquiring the necessary skills to:

  • Replace nonsecure protocols such as Telnet, rlogin, and FTP.
  • Use Secure Shell on network devices otherwise managed by Telnet.
  • Explore remote access solutions, including the concept, setup, and configuration of port forwarding.
  • Take advantage of features such as secure email, proxy, and dynamic port forwarding.
  • Employ Secure Shell as a lightweight alternative to VPNs.
  • Use Secure Shell to secure Web browsing and as a secure wireless (802.11) solution.

Recently we sat down with Himanshu Dwivedi to discuss why he felt the book was needed and what he'd like to see improved in the protocol and its implementations, Here is his perspective.

VanDyke:

What prompted you to write a book about Secure Shell?

Dwivedi:

My primary purposes in writing the book were:

  • The extension flexibility, use, and security that SSH offers (it can do everything securely!!!).
  • The wide variety of solutions that SSH can offer, such secure remote access, secure management, secure email, secure wireless, secure file access and secure web browsing -- all with one single, easy-to implement solution.
  • The lack of usage knowledge -- both by users who are aware of SSH but not its extension use (it is not just secure Telnet), and users who are not aware of it at all and could benefit from its security and extensive functionality.
VanDyke:

Do you consider Secure Shell a viable, software-only alternative to hardware-based VPNs?

Dwivedi:

Yes, most definitely. Even though SSH does not provide access to a remote virtual network the way hardware-based IPSec solutions do, it can offer secure email, secure file transfer, secure web traffic (external and internal), and secure Windows (SMB) and UNIX (NFS) file servers. Those services are basically all you want to offer remote users anyway. Hardware-based VPNs usually allow access to everything on the network, which may not be the best idea, especially if the remote user has a virus or worm on their machine. The easy of use of SSH, as well as its secure and very functionally remote access capabilities make it a very easy and flexible solution to deploy.

VanDyke:

The core drafts of the SSH2 protocol have been approved by the IETF working group and are being edited for RFC publication. What would you most like to see in the next version of the protocol?

Dwivedi:

Good question. There would be a couple things. One would be stronger (better) support for UDP port forwarding. While UDP port forwarding is rarely needed, the ability to port forward DNS (UDP 53) would allow many organizations to provide secure end-to-end web browsing for SSH users. Also, while SSH is the superior remote access solution to work over NAT (Network Address Translation), it would be nice if some remote DHCP address functionality was built in to provide users of SSH more functionality of the services they could offer to SSH clients. Currently, in a NATed environment, there is no way to know what the local IP address of the machine making the connection is. If the protocol could query the machine and pass the actual IP address to the server during authentication, you'd gain another factor beyond the password, public key, or smart card.

VanDyke:

We've been counseling customers to "turn off Telnet and FTP" for years. Now the rapid growth of wireless PC connectivity has highlighted the security issues of the 802.11 or WiFi standard. How applicable do you think Secure Shell is as a means to secure WiFi traffic, in corporate, campus, home, and/or public settings?

Dwivedi:

It depends on a variety of things, but setup and understanding is key. Setting up SSH for secure WiFi traffic at home or in a corporate setting can be done today with SSH, as I describe in Chapter 9. The most common argument against deploying SSH by many administrators, dealing with WiFi or not, is its setup and management requirements. Nevertheless, if an organization is aware of the flexibility of port forwarding, especially dynamic port forwarding, a single Secure Shell server can secure any WiFi connection on a corporate campus or even at home.

So, while the initial setup is not just "plug and play", once it has been completed, the SSH-secured WiFi connection usually does not need much in the way of ongoing support. Furthermore, Secure Shell as a WiFi security solution is cheaper and easier to setup than other VPN solutions, and does not require a major architectural change in the network. This is a major advantage for many large organizations that need to provide secure wireless without overhauling their network.

 

Implementing SSH : Strategies for Optimizing the Secure Shell,
Himanshu Dwivedi, New York: John Wiley & Sons. Paperback 408p.
ISBN: 0-471-45880-5.

About the Author
HIMANSHU DWIVEDI is Managing Security Architect for @stake, the leading provider of digital security services. He is also a security training leader for the @stake Academy, and has published two books on storage security. His professional experience includes application programming, security consultancy, and secure product design with an emphasis on secure network architecture and server risk assessment.