For data infrastructure professionals who need a secure gateway for data transfer, but don’t need the complexity of OpenSSH, we at Dataddo have developed SSH Relay—an open-source solution focused exclusively on port forwarding (also known as an SSH tunnel or bastion server).
Hi. We are Dataddo—provider of an any-to-any data integration platform that connects cloud services, business apps, and data warehouses and lakes for organizations around the world, including Fortune 500 companies.
Most of the organizations that use our platform have—and adhere to—very strict data security requirements. In order to connect our platform to their database servers without exposing the servers to the Internet, many of them use OpenSSH (otherwise known as OpenBSD Secure Shell)—a series of networking utilities that enable secure client-server connections.
OpenSSH is probably the safest and most battle-tested full SSH solution, but it’s very complex, so not every organization has the need or the means to implement and maintain it. By the same token, it can be a footgun if not properly configured.
SSH Relay is lighter-weight, easier to configure, and more secure than OpenSSH for port forwarding. And our clients are already using it!
This, in effect, lowers the barrier to the implementation of secure port forwarding.
Why Use Port Forwarding/SSH Tunnelling?
Though many modern database servers provide strong encryption and authorization capabilities, exposing them to the Internet involves several risks, including but not limited to:
- Software bugs that can be exploited by hackers.
- DDoS (distributed denial-of-service) attacks (i.e., when attackers disrupt a server by flooding it with Internet traffic).
- Old, unpatched versions of databases, which are easy to seize control of. (Many companies, especially larger corporations, are slow to migrate to the latest technologies.)
To mitigate these risks, organizations isolate their database servers in private networks. To enable access to private networks from the outside (for example, when moving external data into a database) they use port-forwarding/an SSH server.
The SSH server acts as a “castle guard” that lets trusted visitors in via a hidden tunnel.
Currently, the most powerful SSH server for port forwarding is OpenSSH. But even OpenSSH has its risks.
The Risks of OpenSSH
Widely used and trusted, OpenSSH is a full-featured SSH server with a broad range of functions—from remote shell access to file transfers. This complexity, while powerful, opens up more potential attack vectors.
One of the main risks of OpenSSH is that it is a remote shell, and anything remote is subject to seizure by hackers.
It’s also very complex, making configuration easy to mess up. A misconfigured OpenSSH server can create a wide range of vulnerabilities.
Many critical vulnerabilities of OpenSSH have been documented over the years, including CVE-2024-6409, RegreSSHion (CVE-2024-6387), Terrapin Attack (CVE-2023-48795), and Heartbleed (CVE-2014-0160).
Recently, OpenSSH was targeted by Chinese cyberspies and, since March of 2024, various OpenSSH server attacks involving the XZ Utils backdoor have been reported.
Clearly, the power of OpenSSH comes at a cost.
Why Use SSH Relay for Port Forwarding?
If all you need is a secure shell connection to a database server, OpenSSH is an unnecessarily robust solution with a wide attack surface.
Dataddo’s SSH Relay solves this problem by enabling more secure port forwarding for a fraction of the maintenance burden. In contrast to OpenSSH, it does not involve remote shell access, remote commands, SSH agents for holding keys and certificates, or SFTP (SSH File Transfer Protocol). Just port forwarding.
It’s easy to set up, and it’s only 360 lines of code, which limits the chances of logical errors. It’s also written in Go language, which, unlike C or C++, is considered to be a safe programming language by the United States National Security Agency. This is because Go is memory safe, even if badly written.
Additionally, since SSH Relay is just an SSH protocol implementation and not a fully customizable TCP forwarding tool, it’s compatible with OpenSSH or any other SSH client.
Dataddo’s customers are already using SSH Relay as a partial, yet more secure replacement for OpenSSH. This is proof that SSH Relay lowers the barrier to implementation of port forwarding.
SSH Relay: Only a Part of Our Mission to Move Data Securely
SSHRelay is just one step in our broader mission to help businesses move and integrate their data to the highest standards of security.
Our platform has tried-and-tested privacy guardrails built in (like robust encryption and sensitive data detection), and we regularly undergo independent, external verification to ensure platform security and compliance with the most stringent international frameworks for client data management (like SOC 2).
We are SOC 2 Type II certified and compliant with all major data privacy laws around the globe, including ISO 27001, GDPR and DORA for Europe, CCPA and HIPAA in the US, LGPD for Brazil, and POPIA for South Africa.
Dataddo supports ETL, ELT, reverse ETL, database replication, and direct connection of cloud apps with BI tools, in both cloud and hybrid environments. All functionality can be deployed headlessly.
We like to give back to the data community with open-source tools like SSH Relay. Most recently, we released PGQ—a reliable queueing tool built on Postgres, which is designed to handle long-running jobs. This, too, is a core part of the Dataddo platform!
|
Connect All Your Data with Dataddo ETL/ELT, database replication, reverse ETL. Maintenance-free. Coding-optional interface. SOC 2 Type II certified. Predictable pricing.
|
Comments