Skip to content

SSH Proxy Sessions Tunnels

What is SSH tunnel

An SSH tunnel, also known as SSH port forwarding, is a method of creating a secure, encrypted connection through an SSH server to transport network traffic that might otherwise be unencrypted or inaccessible. It essentially allows you to forward traffic from a local port on your machine to a port on a remote server, securely encapsulated within the SSH connection.

12Port platform adds another layer of security to SSH tunnel by introducing role based access, multi-layer workflow request approval, MFA-based confirmation of end user identity as well as enforcing zero trust access to the users establishing the tunnels.

Why use SSH tunnels

Below is the list of some cases of SSH Tunnel applications.

  • Provide access to WEB Portals reachable from the asset endpoint but not from the local client device. For example, provide access to an outside administrator external to the corporate firewall to manage configuration WEB Portal of a network router or of a medical device.

  • Provide access to databases reachable from the asset endpoint but not from the local client device without providing an access to other network or even destination services. For example, provide access to a outside database developer to the data in the internal database for a specific period of time.

How to use zero trust tunnel

Establishing a tunnel

To build a tunnel use the following command

ssh -N 12port-user#asset@12port.company.com -p ssh-proxy-port -L local-port:destination-host:destination-port

Where

  • -N is an optional flag indicating that the tunnel should not open an interactive shell as well. Without this flag the tunnel will maintain the open interactive shell to the destination asset endpoint.

  • 12port-user is the 12Port tenant user with the appropriate permissions to the asset, access profile with enabled Native SSH access enabled and approved request to access the asset. The user might be prompted to provide MFA configuration if enabled using configured provider. See the options to provide MFA code using the command line. Otherwise, the 12Port SSH Server will prompt for MFA.

  • asset - tenant asset name or ID. 12Port server will broker access to the asset endpoint to forward the client traffic to the destination.

  • 12port.company.com - 12Port SSH Proxy server

  • ssh-proxy-port - 12Port SSH Proxy port.

  • local-port - The port on the local client computer to forward the network traffic from

  • destination-host - the destination host for the forwarded traffic. The host should reachable from the asset endpoint

  • destination-port - destination port on the destination host

After establishing the tunnel, the application that runs on the local client computer can connect to the local-port on the local computer with the same effect as connecting to the destination-port on the destination-host despite the host is not reachable from the local device. The zero trust tunnel allows system owners to provide peer-to-peer access to the destination service in the isolated network by granting role baseds permissions and request approval to the user for port forwarding asset.

Below is the example of the command that establishes SSH tunnel without the interactive shell using user baker and asset hermit-terminal through the SSH Proxy server pam.12port.com running on the port 2200 tunneling local port 8443 to the destination port 6443 on the IP address 192.168.4.82.

ssh -N baker#hermit-terminal@pam.12port.com -p 2200 -L 1521:192.168.4.82:1521

After establishing the tunnel a user can use Oracle SQL Developer application to connect to the Oracle RDBMS located on the host with IP address 192.168.4.82 by using localhost:1521 in the Oracle SQL Developer connection string.

Establishing a SOCKS5 proxy for the browser

To build a SOCKS5 tunnel for the WEB Browser use the following command

ssh -D socks-port 12port-user#asset@12port.company.com -p ssh-proxy-port

Where

  • socks-port a port that this command will open on the local device to forward network traffic to.

  • 12port-user is the 12Port tenant user with the appropriate permissions to the asset, access profile with enabled Native SSH access enabled and approved request to access the asset. The user might be prompted to provide MFA configuration if enabled using configured provider. See the options to provide MFA code using the command line. Otherwise, the 12Port SSH Server will prompt for MFA.

  • asset - tenant asset name or ID. 12Port server will broker access to the asset endpoint to forward the client traffic to the destination.

  • 12port.company.com - 12Port SSH Proxy server

  • ssh-proxy-port - 12Port SSH Proxy port.

After establishing the tunnel, configure the browser on the local device to connect through SOCKS5 proxy on the localhost port socks-port. With this configuration complete the browser will initiate connections from the asset endpoint. The zero trust tunnel allows system owners to provide users access to the WEB Portals reachable from the asset endpoint but not from the local device by granting role baseds permissions and request approval to the user for port forwarding asset.

Below is the example of the command that establishes SOCKS5 tunnel on the port 8443 using user baker and asset hermit-terminal through the SSH Proxy server pam.12port.com running on the port 2200.

ssh -D 8443 baker#hermit-terminal@pam.12port.com -p 2200

Session reporting

12Port session report provides visibility to the time when connection was established as well as for the user establishing the tunnel.

The tunnel sessions includ SSHP:Tunnel keyword in the Channel field. The channel also includes the final forward destination of the tunnel such as in the following example: SSHP:Tunnel (detectportal.firefox.com:80).

SSH Tunnel Restrictions

Without any additional fields added to the asset, the SSH Proxy will allow users to build tunnels to any destination IP address and any destination port. To limit the destination choice for the user to build the tunnels to use any or both of the following fields created on the asset type and defined on the asset configuration

  • Tunnel Host is a string field that might contain a space separated list of IP addresses or sub-networks restricting the destination hosts served by SSH Tunnel. For example, the value 192.168.1.0/24 192.168.4.109 in the Tunnel Host field will restrict the tunnel connections to either all hosts in 192.168.1.0/24 subnet or to the host with IP address 192.168.4.109.

  • Tunnel Port is a string field that might contain a space separated list of ports restricting the destination ports served by SSH Tunnel. For example, the value 3389 443 in the Tunnel Port will restrict the tunnel connections to either port 3389 or port 443.

The image below gives an example of the SSH tunnel restriction that allows to build tunnels only to the 192.168.1.109:3389 destination.

SSH Tunnel Destination Restrictions