SSH Tectia

Transparent TCP Tunneling

The transparent TCP tunneling feature captures the TCP traffic of hosts defined in the SSH Tectia configuration and uses encrypted tunnels for sending the data. No changes are required to the configuration of the application software.

The transparent TCP tunneling is activated in the Connection Broker configuration, where you can also specify the applications to be tunneled and define filter rules that control the setting up of the tunnels in detail. Once activated, the transparent TCP tunneling feature automatically captures the defined applications and the Connection Broker creates Secure Shell tunnels to the defined servers, that can be SSH Tectia Servers, SSH Tectia Server for IBM z/OS, or any SSH2-capable Secure Shell servers.

For information on the configuration settings in the XML file, see the section called “The filter-engine Element”, and for settings in the Windows GUI, see Defining Transparent Tunnels.

When a global configuration file exists, (for example when SSH Tectia ConnectSecure is controlled by SSH Tectia Manager,) and it includes the filter-engine element, those settings are applied. The global configuration file is located in /etc/ssh2/ssh-broker-config.xml on Unix, and "C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Broker\ssh-broker-config.xml" on Windows.

Example on Tunneling Telnet Connections (Unix)

This example shows how transparent TCP tunneling can be used to secure Telnet connections between a corporate network and external servers over the Internet.

In the example use case, the users have Unix hosts with Telnet applications. Since Telnet includes no internal security measures, SSH Tectia ConnectSecure is also installed on each host to provide security. The users make Telnet connections to port 23 (the dedicated Telnet port) to application servers outside the company. The destination hosts are required to have Secure Shell servers running on them, either SSH Tectia Server or some other standard-compliant server.

Transparent TCP tunnel securing Telnet connections

Figure 7.2. Transparent TCP tunnel securing Telnet connections

The host keys of the destination hosts need to be saved as known host keys on the local hosts before using the transparent TCP tunnels. To fetch and save the host keys, connect once to each of the destination hosts using command sshg3 and choose save in the host key dialog.

Also, the user public keys need to be delivered to the Secure Shell servers. On Unix, the ssh-capture process cannot always extract the password prompt from the application, so the Secure Shell connections need to be established non-interactively. For this reason, the users should use, for example, public keys without passphrases.

The transparent TCP tunnels are defined in the SSH Tectia ConnectSecure configuration to tunnel all traffic going to port 23. SSH Tectia ConnectSecure can use the destination host name directly from the connection-originating application, so it is not necessary to create a separate connection profile for each destination host. The transparent TCP tunneling configuration is made in a single filter rule set in the Connection Broker configuration file ssh-broker-config.xml:

<filter-engine>
  . . .
  <rule host=".*"
        ports="23"
        action="TUNNEL"
        hostname-from-app="YES"
        fallback-to-plain="NO" />
</filter-engine>

For detailed description of the configuration elements, see the section called “The filter-engine Element”.

To activate the transparent TCP tunneling, restart the Connection Broker or make it re-read its configuration by using command:

$ ssh-broker-ctl reload

To start tunneling the Telnet connections made to port 23, run command:

$ ssh-capture telnet some-server.example.com

You can also start a bash shell session with connection capturing enabled for all commands. Run command:

$ ssh-capture bash

With the transparent TCP tunneling active, all Telnet connections from the Unix client hosts to the remote servers will be securely tunneled. The client host applications require no modifications, so the users can keep working with the existing tools as before.

Note that there are limitations on capturing suid applications. For more information, see the Note about capture restrictions.

Example on Tunneling E-mail Service (Windows)

This section gives an example of configuring encrypted tunnels for an e-mail service on Windows. Transparent TCP tunneling is used for establishing tunnels that can be utilized as a secure transport between an e-mail client and an e-mail server communicating over the Internet.

This scenario describes a typical configuration for remote users for accessing the company's internal e-mail services transparently. In the test scenario, access from the client's private network to the Internet traverses through a SOCKS4 server, and the client-side has SSH Tectia ConnectSecure installed. Access to the company's internal network, including the e-mail services, goes via a gateway host which has SSH Tectia Server running.

Transparent TCP tunneling securing e-mail connections

Figure 7.3. Transparent TCP tunneling securing e-mail connections

Before e-mail delivery, SSH Tectia ConnectSecure automatically creates a transparent TCP tunnel between the client host and the SSH Tectia Server gateway for SMTP/IMAP/POP protocols. The encrypted tunnel ends at the gateway, and from there onwards the e-mail traffic is transmitted unencrypted in the company's internal network.

To create the configuration using the SSH Tectia Configuration tool, do the following:

  1. On the Connection Profiles page, click Add profile to add a new connection profile for the gateway server host. Enter the profile name and click OK. In the example, the profile is named paper.

    Select the created profile from the Connection Profiles list, and specify the connection details in the following view.

    Configuring connection profiles

    Figure 7.4. Configuring connection profiles

    By default, the profile name is assumed to be the host name of the destination server, but here we link the profile name to a server called host1234. Click Apply when the settings are ready.

  2. On the Transparent Tunnels → Connection Capture page, select the Enable transparent tunneling at startup check box.

    Defining the connection capture settings

    Figure 7.5. Defining the connection capture settings

  3. On the Transparent Tunnels → Filter Rules page, click Add to add the filter rules which define the applications and ports to be captured and tunneled. In this example, only TCP ports related to e-mail delivery (IMAP, POP, SMTP) are forwarded to the gateway server through profile paper.

    Adding filter rules for email services

    Figure 7.6. Adding filter rules for email services

    Under Action, it is possible to select how the destination host is defined; either the host defined in the connection profile is used, or the host definition is received from the application. Now that we have a gateway server in this example, we will use the hostname defined in the profile, and the Use host name from the application is left unselected. In case we had a Secure Shell server running on each destination server, we could use the host names from the application.

  4. The created rules are listed in the Filter Rules view. You can return to editing a selected rule by clicking Edit, and you can arrange the order of the rules with the up and down arrows. Place the most specific rules first. In this example, the order is not significant.

    Defining filter rules

    Figure 7.7. Defining filter rules

Once transparent TCP tunneling has been activated, it captures the e-mail traffic to the hosts defined in the SSH Tectia configuration and uses encrypted tunnels for sending the data. No changes are required to the configuration of the e-mail application.

When the tunnel is opened, the user is prompted to authenticate to the gateway server. Setting up public-key authentication to the server is recommended. For instructions, see Managing Keys and Certificates.