Re: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?

From: Victor Williams (
Date: 08/13/04

  • Next message: Dave Piscitello: "[fw-wiz] Low Carb Security"
    To: Chris Conacher <>
    Date: Thu, 12 Aug 2004 18:54:27 -0500

    On the contrary. In some organizations, people must have different
    access to different resources, if they work there or not. What better
    medium to control where people go network-wise other than a VPN solution
    with some very restrictive access controls? Couple that with a very
    restrictive network access policy, and I believe you have a better
    solution than straight SSH/SFTP.


    Because I'm anal, I not only make outside contractors VPN into the
    network(s) I admin, but I then make them SSH/SFTP to the bastion host in
    question. I do this for the external company who maintains our web
    content. They have to VPN in (once they are in, the access list says
    they can only get to the webserver), they then SSH/SFTP whatever they
    need to do on the webserver itself in a jail basically...they can't get
    out of the directory the staged web content is in.

    If you're going to implement SFTP using the OpenSSH engine, you need to
    make the user's shell /some/location/sftp-server. Otherwise, they will
    have an interactive shell access to your machine.

    In my opinion, the VPN works smoother--if it's already in place and
    allows you to do granular access list based not only on network info,
    but also who you are when you log in. For us, it's already in the list
    of things the organization has to admin, why introduce another resource
    to maintain?

    Only other thing I would consider, is what is your risk in implementing
    SSH vs VPN? For us, the chances are much lower that someone outside the
    organization could get all the info they need to even get a VPN
    connection to the network, let alone actually gain access to anything.
    With SSH, you open a SSH or SFTP session and you're there...0 effort.
    Now that we're there, how do we compromise this and make it work for us?
      I just think it's a bit more difficult to do with a properly
    configured VPN solution.

    Bastion host or not, if there's data/info on it that prying eyes should
    not see, it shouldn't be directly on the internet.

    > I am currently trying to move an organization's current solution of VPN
    > for external contractors performing file transfer, to SecureFTP.

    > My belief has always been that SecureFTP is the appropriate solution for
    > secure file transfer and the aim should always be to avoid giving remote
    > access to internal networks [especially non-employee] where it is not
    > specifically required.

    > My question is are there any other issues that I should be aware of with
    > allowing SecureFTP/SSH through the firewall as one of the standard
    > pushes (read knee jerk reactions) against this appears to be that
    > another port is opened on the firewall?

    > 1. I have worked in a lot of different organizations where VPN seems to
    > be the norm for everyone even where the only requirement is file transfer

    > 2. My belief is that this is because the organization does not
    > appreciate the implications of allowing non-employees access to the
    > internal network and does not understand that SecureFTP is an
    > appropriate solution

    > 3. I understand that SSH is a great opportunity for tunneling attacks if
    > an exploit is discovered, but I feel that there is it possible to manage
    > this exposure through the existence of a DMZ based bastion host, rather
    > than providing external people with access to the VPN.
    > Comments appreciated.
    > Chris
    firewall-wizards mailing list

  • Next message: Dave Piscitello: "[fw-wiz] Low Carb Security"

    Relevant Pages

    • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
      ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    • TidBITS#792/15-Aug-05
      ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ...
    • RE: VPN Error 800
      ... The VPN client IP is, this is a private IP address. ... server IP address is, this is a Internet IP address. ... not test VPN connection from your perimeter network. ... SBS on your switch to make it work. ...
    • Re: VPN with SBS 2003 (not R2) and DSL.
      ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    • Re: OT By a mile in parts comments on Viet Nam
      ... check bank accouts etc etc whilst away but is safe to do so over wireless and using the hotel network.. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...