Preventing outbound ssh connections, and thus any tunnels, would require a complete blockade of outbound connections via deep packet inspection. Looking at ports will be 100% useless. You have to look at the actual packet payload to know it's SSH. (this is what websense is doing.)
The only other option is setting up a "proxy" host. Lock down the configuration so the ssh client and server will not allow tunneling, then allow only that machine to make outbound ssh connections -- of course, this includes securing the system as well, otherwise people can run whatever ssh software they want.
I had this problem but after trial/error finally fixed it. Before I start, let me just say that sonicwall documentation and support has gotten so much worse since the acquisition by Dell that I am moving away from sonicwall to almost any other solution (hi cisco + pan) when our support contract is up.
So I followed the rev b document 'configuring sonicos for amazon vpc' also. I configured it with dynamic tunnels with bgp (just because) and it came up. Not that the config document helped because the cli commands don't match with the reality of sonicwall firmware 5.9 on an nsa3500.
After getting the tunnels up and running and the bgp routes advertised, I could not route traffic from our lan (192.168.0.0/16) to the subnet of our vpc on amazon (10.23.0.0/16). I was convinced it was firewall rules until I took another look at the sonicwall routing table.
Basically, I had to create in the gui rules that should have been declared in the bgp cli config, and were not at all mentioned in the rev b config doc.
The rules I created were
source: any
destination : amazon vpc subnet 10.23.0.0/16
service: any
tos: any
gateway: 0.0.0.0
interface: ti2
I did another rule exactly the same for the ti3 tunnel interface.
Suddenly I was able to ssh into the ec2 instances instead of just being able to ping them.
I'm so upset with at sonicwall / dell.
Hope this helps somebody. Conversely, if there are any thoughts on how to improve this I'm all ears.
Best Answer
Some tunneling technologies provide Ethernet over IP services. For instance, research about these topics: