Also opening up SSH directly to EVERY client on the entire corporate network is one of the most stupidest ideas I’ve heard. SSH is not safe, there have been multiple zero-day vulnerabilities in SSH
Opening up any other (additional) port/protocol/service to handle it is equally unsafe as @robin.gierse mentioned.
What i meant (seeing your response that was not clear) is that opening up an additional port for monitoring purposes will create a potential additional attack-vector, with it’s own issues.
In my opinion SSH is a well-known protocol, meaning if flaws/exploits are found they are also quickly detected, and a solution is found/made.
For other ports/communication methods i am not that sure in how quick they are solved after being detected (as in 0-day’s)
Yes, i do understand that some equipment can not be monitored over SSH, as they just dont have that functionality, then the question is how much impact does it have to enable the monitoring regarding introducing new attack-vectors to an environment compared to the conveinience of having it monitored, just because you want to.
Additional motivations will be how ‘mission-critical’ it is to monitor those components compared to opening up a/the port/service on the firewall.
=> these are questions that need to be answered by a security-department and the stakeholder who wants this to be monitored.
To conclude, i do support the suggestion of @Marius_Pana2 to setup distributed monitoring for such cases.